Skip to content
GitLab
Unverified Commit 51a6b50a authored by Sebastiaan van Steenis's avatar Sebastiaan van Steenis Committed by GitHub
Browse files

Revert "Do not rewrite SELinux labels on volume mounts"

parent e0b89224
release/v1.3 1.2.5 enable_fossa githubaction-go-generate-2022-01-19-14-09-53 githubaction-go-generate-2022-01-19-16-59-09 githubaction-go-generate-2022-02-02-16-53-10 githubaction-go-generate-2022-03-19-01-55-24 githubaction-go-generate-2022-03-19-02-28-40 githubaction-go-generate-2022-03-24-18-41-17 githubaction-go-generate-2022-04-27-01-07-30 githubaction-go-generate-2022-04-27-16-36-37 githubaction-go-generate-2022-04-28-23-21-04 githubaction-go-generate-2022-04-29-00-20-33 githubaction-go-generate-2022-04-29-03-20-39 githubaction-go-generate-2022-04-29-03-34-38 githubaction-go-generate-2022-05-05-16-15-24 githubaction-go-generate-2022-05-06-15-36-45 githubaction-go-generate-2022-05-06-21-32-47 label-opened-issues master revert-2541-no_selinux_relabel v1.3.11-rc2 v1.3.11-rc1 v1.3.10 v1.3.10-rc7 v1.3.10-rc6 v1.3.10-rc5 v1.3.10-rc4 v1.3.10-rc3 v1.3.10-rc2 v1.3.10-rc1 v1.3.9 v1.3.9-rc1 v1.3.8 v1.3.8-rc12 v1.3.8-rc11 v1.3.8-rc10 v1.3.8-rc9 v1.3.8-rc8 v1.3.8-rc7 v1.3.8-rc6 v1.3.8-rc5 v1.3.8-rc4 v1.3.8-rc3 v1.3.8-rc2 v1.3.8-rc1 v1.3.7 v1.3.7-rc1 v1.3.6 v1.3.6-rc1 v1.3.5 v1.3.5-rc1 v1.3.5-alpha1 v1.3.4 v1.3.4-rc1 v1.3.3 v1.3.3-rc6 v1.3.3-rc5 v1.3.3-rc4 v1.3.3-rc3 v1.3.3-rc2 v1.3.3-rc1 v1.3.2 v1.3.2-rc2 v1.3.2-rc1 v1.3.1 v1.3.1-rc1 v1.3.0 v1.3.0-rc20 v1.3.0-rc19 v1.3.0-rc18 v1.3.0-rc17 v1.3.0-rc16 v1.3.0-rc15 v1.3.0-rc14 v1.3.0-rc13 v1.3.0-rc12 v1.3.0-rc11 v1.3.0-rc10
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 42 additions and 91 deletions
+42 -91
cluster/cluster.go
+ 0
- 1
View file @ 51a6b50a
......@@ -99,7 +99,6 @@ const (
NameLabel = "name"
WorkerThreads = util.WorkerThreads
SELinuxLabel = services.SELinuxLabel
serviceAccountTokenFileParam = "service-account-key-file"
......
cluster/file-deployer.go
+ 1
- 7
View file @ 51a6b50a
......@@ -60,15 +60,9 @@ func doDeployFile(ctx context.Context, host *hosts.Host, fileName, fileContents,
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
},
}
if hosts.IsDockerSELinuxEnabled(host) {
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, ContainerName, host.Address)
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRunOnetimeContainer(ctx, host.DClient, imageCfg, hostCfg, ContainerName, host.Address, ServiceName, prsMap); err != nil {
return err
}
......
cluster/plan.go
+ 18
- 18
View file @ 51a6b50a
......@@ -266,10 +266,10 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
services.SidekickContainerName,
}
Binds := []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
}
if c.Services.KubeAPI.AuditLog != nil && c.Services.KubeAPI.AuditLog.Enabled {
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit", path.Join(host.PrefixPath, "/var/log/kube-audit")))
Binds = append(Binds, fmt.Sprintf("%s:/var/log/kube-audit:z", path.Join(host.PrefixPath, "/var/log/kube-audit")))
bytes, err := yaml.Marshal(c.Services.KubeAPI.AuditLog.Configuration.Policy)
if err != nil {
logrus.Warnf("Error while marshalling auditlog policy: %v", err)
......@@ -358,7 +358,7 @@ func (c *Cluster) BuildKubeControllerProcess(host *hosts.Host, serviceOptions v3
services.SidekickContainerName,
}
Binds := []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
}
for arg, value := range c.Services.KubeController.ExtraArgs {
......@@ -485,29 +485,29 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
}
} else {
Binds = []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
"/etc/cni:/etc/cni:rw",
"/opt/cni:/opt/cni:rw",
fmt.Sprintf("%s:/var/lib/cni", path.Join(host.PrefixPath, "/var/lib/cni")),
"/var/lib/calico:/var/lib/calico",
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
"/etc/cni:/etc/cni:rw,z",
"/opt/cni:/opt/cni:rw,z",
fmt.Sprintf("%s:/var/lib/cni:z", path.Join(host.PrefixPath, "/var/lib/cni")),
"/var/lib/calico:/var/lib/calico:z",
"/etc/resolv.conf:/etc/resolv.conf",
"/sys:/sys:rprivate",
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave",
fmt.Sprintf("%s:%s:shared", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
"/var/lib/rancher:/var/lib/rancher:shared",
host.DockerInfo.DockerRootDir + ":" + host.DockerInfo.DockerRootDir + ":rw,rslave,z",
fmt.Sprintf("%s:%s:shared,z", path.Join(host.PrefixPath, "/var/lib/kubelet"), path.Join(host.PrefixPath, "/var/lib/kubelet")),
"/var/lib/rancher:/var/lib/rancher:shared,z",
"/var/run:/var/run:rw,rprivate",
"/run:/run:rprivate",
fmt.Sprintf("%s:/etc/ceph", path.Join(host.PrefixPath, "/etc/ceph")),
"/dev:/host/dev:rprivate",
"/var/log/containers:/var/log/containers",
"/var/log/pods:/var/log/pods",
"/var/log/containers:/var/log/containers:z",
"/var/log/pods:/var/log/pods:z",
"/usr:/host/usr:ro",
"/etc:/host/etc:ro",
}
// Special case to simplify using flex volumes
if path.Join(host.PrefixPath, "/var/lib/kubelet") != "/var/lib/kubelet" {
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared")
Binds = append(Binds, "/var/lib/kubelet/volumeplugins:/var/lib/kubelet/volumeplugins:shared,z")
}
}
Binds = append(Binds, host.GetExtraBinds(kubelet.BaseService)...)
......@@ -622,7 +622,7 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
}
} else {
Binds = []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
"/run:/run",
}
......@@ -740,7 +740,7 @@ func (c *Cluster) BuildSchedulerProcess(host *hosts.Host, serviceOptions v3.Kube
services.SidekickContainerName,
}
Binds := []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
}
for arg, value := range c.Services.Scheduler.ExtraArgs {
......@@ -910,8 +910,8 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
}
Binds := []string{
fmt.Sprintf("%s:%s", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
}
if serviceOptions.Etcd != nil {
......
hosts/hosts.go
+ 1
- 5
View file @ 51a6b50a
......@@ -51,7 +51,6 @@ const (
CleanerContainerName = "kube-cleaner"
LogCleanerContainerName = "rke-log-cleaner"
RKELogsPath = "/var/lib/rancher/rke/log"
SELinuxLabel = "label=type:rke_container_t"
B2DOS = "Boot2Docker"
B2DPrefixPath = "/mnt/sda1/rke"
......@@ -307,14 +306,11 @@ func buildCleanerConfig(host *Host, toCleanDirs []string, cleanerImage string) (
}
bindMounts := []string{}
for _, vol := range toCleanDirs {
bindMounts = append(bindMounts, fmt.Sprintf("%s:%s", vol, vol))
bindMounts = append(bindMounts, fmt.Sprintf("%s:%s:z", vol, vol))
}
hostCfg := &container.HostConfig{
Binds: bindMounts,
}
if IsDockerSELinuxEnabled(host) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
return imageCfg, hostCfg
}
......
pki/deploy.go
+ 3
- 3
View file @ 51a6b50a
......@@ -86,7 +86,7 @@ func DeployStateOnPlaneHost(ctx context.Context, host *hosts.Host, stateDownload
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
},
Privileged: true,
}
......@@ -142,7 +142,7 @@ func doRunDeployer(ctx context.Context, host *hosts.Host, containerEnv []string,
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
},
Privileged: true,
}
......@@ -300,7 +300,7 @@ func FetchFileFromHost(ctx context.Context, filePath, image string, host *hosts.
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
},
Privileged: true,
}
......
pki/pki.go
+ 4
- 4
View file @ 51a6b50a
......@@ -112,8 +112,8 @@ func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemI
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup", etcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
},
Privileged: true,
}
......@@ -149,8 +149,8 @@ func ExtractBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSyst
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup", etcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
},
Privileged: true,
}
......
services/controlplane.go
+ 1
- 1
View file @ 51a6b50a
......@@ -374,7 +374,7 @@ func RunGetStateFileFromConfigMap(ctx context.Context, controlPlaneHost *hosts.H
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(controlPlaneHost.PrefixPath, "/etc/kubernetes")),
},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: "no"},
......
services/etcd.go
+ 14
- 47
View file @ 51a6b50a
......@@ -346,16 +346,12 @@ func RunEtcdSnapshotSave(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: restartPolicy},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if once {
log.Infof(ctx, "[etcd] Running snapshot save once on host [%s]", etcdHost.Address)
logrus.Debugf("[etcd] Using command [%s] for snapshot save once container [%s] on host [%s]", getSanitizedSnapshotCmd(imageCfg, es.BackupConfig), EtcdSnapshotOnceContainerName, etcdHost.Address)
......@@ -417,16 +413,12 @@ func RunGetStateFileFromSnapshot(ctx context.Context, etcdHost *hosts.Host, prsM
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: "no"},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdStateFileContainerName, etcdHost.Address); err != nil {
return "", err
}
......@@ -488,14 +480,11 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa
log.Infof(ctx, s3Logline)
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: "no"},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
return err
}
......@@ -547,14 +536,11 @@ func RestoreEtcdSnapshot(ctx context.Context, etcdHost *hosts.Host, prsMap map[s
}
hostCfg := &container.HostConfig{
Binds: []string{
"/opt/rke/:/opt/rke/",
fmt.Sprintf("%s:/var/lib/rancher/etcd", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
"/opt/rke/:/opt/rke/:z",
fmt.Sprintf("%s:/var/lib/rancher/etcd:z", path.Join(etcdHost.PrefixPath, "/var/lib/etcd")),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
NetworkMode: container.NetworkMode("host"),
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdRestoreContainerName, etcdHost.Address); err != nil {
return err
}
......@@ -624,13 +610,10 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
},
RestartPolicy: container.RestartPolicy{Name: "no"},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdSnapshotRemoveContainerName, etcdHost.Address); err != nil {
return err
}
......@@ -667,12 +650,9 @@ func GetEtcdSnapshotChecksum(ctx context.Context, etcdHost *hosts.Host, prsMap m
}
hostCfg := &container.HostConfig{
Binds: []string{
"/opt/rke/:/opt/rke/",
"/opt/rke/:/opt/rke/:z",
}}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRunContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdChecksumContainerName, etcdHost.Address, ETCDRole, prsMap); err != nil {
return checksum, err
}
......@@ -751,14 +731,11 @@ func StartBackupServer(ctx context.Context, etcdHost *hosts.Host, prsMap map[str
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: "no"},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdServeBackupContainerName, etcdHost.Address); err != nil {
return err
}
......@@ -802,14 +779,11 @@ func DownloadEtcdSnapshotFromBackupServer(ctx context.Context, etcdHost *hosts.H
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/backup", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
fmt.Sprintf("%s:/backup:z", EtcdSnapshotPath),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(etcdHost.PrefixPath, "/etc/kubernetes"))},
NetworkMode: container.NetworkMode("host"),
RestartPolicy: container.RestartPolicy{Name: "on-failure"},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
if err := docker.DoRemoveContainer(ctx, etcdHost.DClient, EtcdDownloadBackupContainerName, etcdHost.Address); err != nil {
return err
}
......@@ -852,13 +826,6 @@ func setEtcdPermissions(ctx context.Context, etcdHost *hosts.Host, prsMap map[st
hostCfg := &container.HostConfig{
Binds: []string{dataBind},
}
if hosts.IsDockerSELinuxEnabled(etcdHost) {
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
logrus.Debugf("Applying security opt label [%s] for [%s] container on host [%s]", SELinuxLabel, EtcdPermFixContainerName, etcdHost.Address)
hostCfg.SecurityOpt = []string{SELinuxLabel}
}
if err := docker.DoRunOnetimeContainer(ctx, etcdHost.DClient, imageCfg, hostCfg, EtcdPermFixContainerName,
etcdHost.Address, ETCDRole, prsMap); err != nil {
return err
......
services/services.go
+ 0
- 5
View file @ 51a6b50a
......@@ -52,7 +52,6 @@ const (
ContainerNameLabel = "io.rancher.rke.container.name"
MCSLabel = "label=level:s0:c1000,c1001"
SELinuxLabel = "label=type:rke_container_t"
)
type RestartFunc func(context.Context, *hosts.Host) error
......@@ -143,10 +142,6 @@ func GetProcessConfig(process v3.Process, host *hosts.Host) (*container.Config,
hostCfg.SecurityOpt = []string{MCSLabel}
}
}
// We apply the label because we do not rewrite SELinux labels anymore on volume mounts (no :z)
logrus.Debugf("Applying security opt label [%s] for etcd container on host [%s]", SELinuxLabel, host.Address)
hostCfg.SecurityOpt = append(hostCfg.SecurityOpt, SELinuxLabel)
}
return imageCfg, hostCfg, process.HealthCheck.URL
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全