Revert "Remove truncate from rootwrap filters"

This reverts commit a62c9dfdd4.

This did not account for cases where truncate is
called w/o elevated privileges.

Related-Bug: #1818504
Change-Id: I3cb85be854e68fda525cfebe254ce7c85d8e3d37

cinder/privsep/fs.py

@@ -27,8 +27,3 @@ import cinder.privsep
 @cinder.privsep.sys_admin_pctxt.entrypoint
 def umount(mountpoint):
     processutils.execute('umount', mountpoint, attempts=1, delay_on_retry=True)
-
-
-@cinder.privsep.sys_admin_pctxt.entrypoint
-def truncate(size, path):
-    processutils.execute('truncate', '-s', size, path)

cinder/tests/unit/volume/drivers/nexenta/test_nexenta5_nfs.py

@@ -141,22 +141,22 @@ class TestNexentaNfsDriver(test.TestCase):
         self.nef_mock.get.return_value = {}
         self.drv.delete_volume(self.TEST_VOLUME)
         self.nef_mock.delete.assert_called_with(
-            'storage/pools/pool/filesystems/share%2Fvolume-'
+            'storage/pools/pool/filesystems/share%2Fvolume-' +
-            + fake.VOLUME_ID + '?snapshots=true')
+            fake.VOLUME_ID + '?snapshots=true')
 
     def test_create_snapshot(self):
         self._create_volume_db_entry()
         self.drv.create_snapshot(self.TEST_SNAPSHOT)
-        url = ('storage/pools/pool/filesystems/share%2Fvolume-'
+        url = ('storage/pools/pool/filesystems/share%2Fvolume-' +
-               + fake.VOLUME_ID + '/snapshots')
+               fake.VOLUME_ID + '/snapshots')
         data = {'name': self.TEST_SNAPSHOT['name']}
         self.nef_mock.post.assert_called_with(url, data)
 
     def test_delete_snapshot(self):
         self._create_volume_db_entry()
         self.drv.delete_snapshot(self.TEST_SNAPSHOT)
-        url = ('storage/pools/pool/filesystems/share%2Fvolume-'
+        url = ('storage/pools/pool/filesystems/share%2Fvolume-' +
-               + fake.VOLUME_ID + '/snapshots/snapshot1')
+               fake.VOLUME_ID + '/snapshots/snapshot1')
         self.drv.delete_snapshot(self.TEST_SNAPSHOT)
         self.nef_mock.delete.assert_called_with(url)
 
@@ -185,15 +185,18 @@ class TestNexentaNfsDriver(test.TestCase):
 
     @patch('cinder.volume.drivers.nexenta.ns5.nfs.'
            'NexentaNfsDriver.local_path')
-    @patch('cinder.privsep.fs.truncate')
+    @patch('oslo_concurrency.processutils.execute')
-    def test_extend_volume_sparsed(self, mock_truncate, path):
+    def test_extend_volume_sparsed(self, _execute, path):
         self._create_volume_db_entry()
         path.return_value = 'path'
 
         self.drv.extend_volume(self.TEST_VOLUME, 2)
 
-        mock_truncate.assert_called_once_with(
+        _execute.assert_called_with(
-            '2G', 'path')
+            'truncate', '-s', '2G',
+            'path',
+            root_helper='sudo cinder-rootwrap /etc/cinder/rootwrap.conf',
+            run_as_root=True)
 
     @patch('cinder.volume.drivers.nexenta.ns5.nfs.'
            'NexentaNfsDriver.local_path')

cinder/tests/unit/volume/drivers/test_gpfs.py

@@ -648,8 +648,7 @@ class GPFSDriverTestCase(test.TestCase):
         fake_fs_release = org_fake_fs_release
 
     @mock.patch('cinder.utils.execute')
-    @mock.patch('cinder.privsep.fs.truncate')
+    def test_create_sparse_file(self, mock_exec):
-    def test_create_sparse_file(self, mock_truncate, mock_exec):
         self.driver._create_sparse_file('', 100)
 
     @mock.patch('cinder.utils.execute')

cinder/tests/unit/volume/drivers/test_nfs.py

@@ -27,7 +27,6 @@ from oslo_utils import units
 from cinder import context
 from cinder import exception
 from cinder.image import image_utils
-import cinder.privsep.fs as privsep
 from cinder import test
 from cinder.tests.unit import fake_snapshot
 from cinder.tests.unit import fake_volume
@@ -58,10 +57,10 @@ class RemoteFsDriverTestCase(test.TestCase):
         self._execute = mock_exc.start()
         self.addCleanup(mock_exc.stop)
 
-    @mock.patch('cinder.privsep.fs.truncate')
+    def test_create_sparsed_file(self):
-    def test_create_sparsed_file(self, mock_truncate):
         self._driver._create_sparsed_file('/path', 1)
-        mock_truncate.assert_called_with('1G', '/path')
+        self._execute.assert_called_once_with('truncate', '-s', '1G',
+                                              '/path', run_as_root=True)
 
     def test_create_regular_file(self):
         self._driver._create_regular_file('/path', 1)
@@ -1276,7 +1275,6 @@ class NfsDriverTestCase(test.TestCase):
         self.mock_object(drv, '_create_regular_file')
         self.mock_object(drv, '_set_rw_permissions')
         self.mock_object(drv, '_read_file')
-        self.mock_object(privsep, 'truncate')
 
         ret = drv.create_volume_from_snapshot(new_volume, fake_snap)
 

cinder/tests/unit/volume/drivers/test_remotefs.py

@@ -50,8 +50,8 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
         self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT,
                                               self._fake_volume.name)
         self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context)
-        self._fake_snapshot_path = (self._fake_volume_path + '.'
+        self._fake_snapshot_path = (self._fake_volume_path + '.' +
-                                    + self._fake_snapshot.id)
+                                    self._fake_snapshot.id)
         self._fake_snapshot.volume = self._fake_volume
 
     @ddt.data({'current_state': 'in-use',
@@ -718,9 +718,7 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
     @mock.patch('json.dump')
     @mock.patch('cinder.volume.drivers.remotefs.open')
     @mock.patch('os.path.exists')
-    @mock.patch('cinder.privsep.fs.truncate')
     def test_write_info_file(self,
-                             mock_truncate,
                              mock_os_path_exists,
                              mock_open,
                              mock_json_dump,
@@ -743,8 +741,9 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
             self._driver._execute.assert_not_called()
             self._driver._set_rw_permissions.assert_not_called()
         else:
-            mock_truncate.assert_called_once_with(
+            self._driver._execute.assert_called_once_with(
-                0, fake_info_path)
+                'truncate', "-s0", fake_info_path,
+                run_as_root=self._driver._execute_as_root)
             self._driver._set_rw_permissions.assert_called_once_with(
                 fake_info_path)
 
@@ -869,8 +868,8 @@ class RevertToSnapshotMixinTestCase(test.TestCase):
         self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT,
                                               self._fake_volume.name)
         self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context)
-        self._fake_snapshot_path = (self._fake_volume_path + '.'
+        self._fake_snapshot_path = (self._fake_volume_path + '.' +
-                                    + self._fake_snapshot.id)
+                                    self._fake_snapshot.id)
         self._fake_snapshot_name = os.path.basename(
             self._fake_snapshot_path)
         self._fake_snapshot.volume = self._fake_volume

cinder/tests/unit/volume/drivers/test_veritas_cnfs.py

@@ -162,9 +162,8 @@ class VeritasCNFSDriverTestCase(test.TestCase):
 
     @mock.patch.object(cnfs.VeritasCNFSDriver, '_do_clone_volume')
     @mock.patch.object(cnfs.VeritasCNFSDriver, 'local_path')
-    @mock.patch('cinder.privsep.fs.truncate')
+    def test_create_volume_from_snapshot_greater_size(self, m_local_path,
-    def test_create_volume_from_snapshot_greater_size(
+                                                      m_do_clone_volume):
-            self, mock_truncate, m_local_path, m_do_clone_volume):
         """test create volume from snapshot with greater volume size"""
         drv = self.driver
         volume = fake_volume.fake_volume_obj(self.context)

cinder/volume/drivers/ibm/gpfs.py

@@ -34,7 +34,6 @@ from cinder.i18n import _
 from cinder.image import image_utils
 from cinder import interface
 from cinder.objects import fields
-import cinder.privsep.fs
 from cinder import utils
 from cinder.volume import configuration
 from cinder.volume import driver
@@ -489,7 +488,7 @@ class GPFSDriver(driver.CloneableImageVD,
         """Creates file with 0 disk usage."""
 
         sizestr = _sizestr(size)
-        cinder.privsep.fs.truncate(sizestr, path)
+        self.gpfs_execute('truncate', '-s', sizestr, path)
 
     def _allocate_file_blocks(self, path, size):
         """Preallocate file blocks by writing zeros."""

cinder/volume/drivers/nexenta/ns5/nfs.py

@@ -24,7 +24,6 @@ from cinder import db
 from cinder import exception
 from cinder.i18n import _
 from cinder import interface
-import cinder.privsep.fs
 from cinder.volume.drivers.nexenta.ns5 import jsonrpc
 from cinder.volume.drivers.nexenta import options
 from cinder.volume.drivers.nexenta import utils
@@ -242,12 +241,13 @@ class NexentaNfsDriver(nfs.NfsDriver):
         LOG.info('Extending volume: %(id)s New size: %(size)s GB',
                  {'id': volume['id'], 'size': new_size})
         if self.sparsed_volumes:
-            cinder.privsep.fs.truncate('%sG' % new_size,
+            self._execute('truncate', '-s', '%sG' % new_size,
-                                       self.local_path(volume))
+                          self.local_path(volume),
+                          run_as_root=self._execute_as_root)
         else:
             block_size_mb = 1
-            block_count = ((new_size - volume['size']) * units.Gi
+            block_count = ((new_size - volume['size']) * units.Gi //
-                           // (block_size_mb * units.Mi))
+                           (block_size_mb * units.Mi))
             self._execute(
                 'dd', 'if=/dev/zero',
                 'seek=%d' % (volume['size'] * units.Gi / block_size_mb),

cinder/volume/drivers/remotefs.py

@@ -38,7 +38,6 @@ from cinder import exception
 from cinder.i18n import _
 from cinder.image import image_utils
 from cinder.objects import fields
-import cinder.privsep.fs
 from cinder import utils
 from cinder.volume import configuration
 from cinder.volume import driver
@@ -380,7 +379,8 @@ class RemoteFSDriver(driver.BaseVD):
 
     def _create_sparsed_file(self, path, size):
         """Creates a sparse file of a given size in GiB."""
-        cinder.privsep.fs.truncate('%sG' % size, path)
+        self._execute('truncate', '-s', '%sG' % size,
+                      path, run_as_root=self._execute_as_root)
 
     def _create_regular_file(self, path, size):
         """Creates a regular file of given size in GiB."""
@@ -753,7 +753,8 @@ class RemoteFSSnapDriverBase(RemoteFSDriver):
         if not (os.path.exists(info_path) or os.name == 'nt'):
             # We're not managing file permissions on Windows.
             # Plus, 'truncate' is not available.
-            cinder.privsep.fs.truncate(0, info_path)
+            self._execute('truncate', "-s0", info_path,
+                          run_as_root=self._execute_as_root)
             self._set_rw_permissions(info_path)
 
         with open(info_path, 'w') as f:

cinder/volume/drivers/veritas_cnfs.py

@@ -21,7 +21,6 @@ from oslo_utils import excutils
 from cinder import exception
 from cinder.i18n import _
 from cinder import interface
-import cinder.privsep.fs
 import cinder.privsep.path
 from cinder.volume.drivers import nfs
 
@@ -173,7 +172,7 @@ class VeritasCNFSDriver(nfs.NfsDriver):
     def extend_volume(self, volume, size):
         """Extend the volume to new size"""
         path = self.local_path(volume)
-        cinder.privsep.fs.truncate('%sG' % size, path)
+        self._execute('truncate', '-s', '%sG' % size, path, run_as_root=True)
         LOG.debug("VeritasNFSDriver: extend_volume volume_id = %s", volume.id)
 
     def _update_volume_stats(self):

etc/cinder/rootwrap.d/volume.filters

@@ -86,6 +86,7 @@ stat: CommandFilter, stat, root
 mount: CommandFilter, mount, root
 df: CommandFilter, df, root
 du: CommandFilter, du, root
+truncate: CommandFilter, truncate, root
 chmod: CommandFilter, chmod, root
 rm: CommandFilter, rm, root