Revert "Remove truncate from rootwrap filters"

This reverts commit a62c9dfdd4.

This did not account for cases where truncate is
called w/o elevated privileges.

Related-Bug: #1818504
Change-Id: I3cb85be854e68fda525cfebe254ce7c85d8e3d37
This commit is contained in:
Eric Harney 2019-03-06 10:07:16 -05:00
parent f5a733c084
commit ade7d89c2e
11 changed files with 38 additions and 45 deletions

View File

@ -27,8 +27,3 @@ import cinder.privsep
@cinder.privsep.sys_admin_pctxt.entrypoint @cinder.privsep.sys_admin_pctxt.entrypoint
def umount(mountpoint): def umount(mountpoint):
processutils.execute('umount', mountpoint, attempts=1, delay_on_retry=True) processutils.execute('umount', mountpoint, attempts=1, delay_on_retry=True)
@cinder.privsep.sys_admin_pctxt.entrypoint
def truncate(size, path):
processutils.execute('truncate', '-s', size, path)

View File

@ -141,22 +141,22 @@ class TestNexentaNfsDriver(test.TestCase):
self.nef_mock.get.return_value = {} self.nef_mock.get.return_value = {}
self.drv.delete_volume(self.TEST_VOLUME) self.drv.delete_volume(self.TEST_VOLUME)
self.nef_mock.delete.assert_called_with( self.nef_mock.delete.assert_called_with(
'storage/pools/pool/filesystems/share%2Fvolume-' 'storage/pools/pool/filesystems/share%2Fvolume-' +
+ fake.VOLUME_ID + '?snapshots=true') fake.VOLUME_ID + '?snapshots=true')
def test_create_snapshot(self): def test_create_snapshot(self):
self._create_volume_db_entry() self._create_volume_db_entry()
self.drv.create_snapshot(self.TEST_SNAPSHOT) self.drv.create_snapshot(self.TEST_SNAPSHOT)
url = ('storage/pools/pool/filesystems/share%2Fvolume-' url = ('storage/pools/pool/filesystems/share%2Fvolume-' +
+ fake.VOLUME_ID + '/snapshots') fake.VOLUME_ID + '/snapshots')
data = {'name': self.TEST_SNAPSHOT['name']} data = {'name': self.TEST_SNAPSHOT['name']}
self.nef_mock.post.assert_called_with(url, data) self.nef_mock.post.assert_called_with(url, data)
def test_delete_snapshot(self): def test_delete_snapshot(self):
self._create_volume_db_entry() self._create_volume_db_entry()
self.drv.delete_snapshot(self.TEST_SNAPSHOT) self.drv.delete_snapshot(self.TEST_SNAPSHOT)
url = ('storage/pools/pool/filesystems/share%2Fvolume-' url = ('storage/pools/pool/filesystems/share%2Fvolume-' +
+ fake.VOLUME_ID + '/snapshots/snapshot1') fake.VOLUME_ID + '/snapshots/snapshot1')
self.drv.delete_snapshot(self.TEST_SNAPSHOT) self.drv.delete_snapshot(self.TEST_SNAPSHOT)
self.nef_mock.delete.assert_called_with(url) self.nef_mock.delete.assert_called_with(url)
@ -185,15 +185,18 @@ class TestNexentaNfsDriver(test.TestCase):
@patch('cinder.volume.drivers.nexenta.ns5.nfs.' @patch('cinder.volume.drivers.nexenta.ns5.nfs.'
'NexentaNfsDriver.local_path') 'NexentaNfsDriver.local_path')
@patch('cinder.privsep.fs.truncate') @patch('oslo_concurrency.processutils.execute')
def test_extend_volume_sparsed(self, mock_truncate, path): def test_extend_volume_sparsed(self, _execute, path):
self._create_volume_db_entry() self._create_volume_db_entry()
path.return_value = 'path' path.return_value = 'path'
self.drv.extend_volume(self.TEST_VOLUME, 2) self.drv.extend_volume(self.TEST_VOLUME, 2)
mock_truncate.assert_called_once_with( _execute.assert_called_with(
'2G', 'path') 'truncate', '-s', '2G',
'path',
root_helper='sudo cinder-rootwrap /etc/cinder/rootwrap.conf',
run_as_root=True)
@patch('cinder.volume.drivers.nexenta.ns5.nfs.' @patch('cinder.volume.drivers.nexenta.ns5.nfs.'
'NexentaNfsDriver.local_path') 'NexentaNfsDriver.local_path')

View File

@ -648,8 +648,7 @@ class GPFSDriverTestCase(test.TestCase):
fake_fs_release = org_fake_fs_release fake_fs_release = org_fake_fs_release
@mock.patch('cinder.utils.execute') @mock.patch('cinder.utils.execute')
@mock.patch('cinder.privsep.fs.truncate') def test_create_sparse_file(self, mock_exec):
def test_create_sparse_file(self, mock_truncate, mock_exec):
self.driver._create_sparse_file('', 100) self.driver._create_sparse_file('', 100)
@mock.patch('cinder.utils.execute') @mock.patch('cinder.utils.execute')

View File

@ -27,7 +27,6 @@ from oslo_utils import units
from cinder import context from cinder import context
from cinder import exception from cinder import exception
from cinder.image import image_utils from cinder.image import image_utils
import cinder.privsep.fs as privsep
from cinder import test from cinder import test
from cinder.tests.unit import fake_snapshot from cinder.tests.unit import fake_snapshot
from cinder.tests.unit import fake_volume from cinder.tests.unit import fake_volume
@ -58,10 +57,10 @@ class RemoteFsDriverTestCase(test.TestCase):
self._execute = mock_exc.start() self._execute = mock_exc.start()
self.addCleanup(mock_exc.stop) self.addCleanup(mock_exc.stop)
@mock.patch('cinder.privsep.fs.truncate') def test_create_sparsed_file(self):
def test_create_sparsed_file(self, mock_truncate):
self._driver._create_sparsed_file('/path', 1) self._driver._create_sparsed_file('/path', 1)
mock_truncate.assert_called_with('1G', '/path') self._execute.assert_called_once_with('truncate', '-s', '1G',
'/path', run_as_root=True)
def test_create_regular_file(self): def test_create_regular_file(self):
self._driver._create_regular_file('/path', 1) self._driver._create_regular_file('/path', 1)
@ -1276,7 +1275,6 @@ class NfsDriverTestCase(test.TestCase):
self.mock_object(drv, '_create_regular_file') self.mock_object(drv, '_create_regular_file')
self.mock_object(drv, '_set_rw_permissions') self.mock_object(drv, '_set_rw_permissions')
self.mock_object(drv, '_read_file') self.mock_object(drv, '_read_file')
self.mock_object(privsep, 'truncate')
ret = drv.create_volume_from_snapshot(new_volume, fake_snap) ret = drv.create_volume_from_snapshot(new_volume, fake_snap)

View File

@ -50,8 +50,8 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT, self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT,
self._fake_volume.name) self._fake_volume.name)
self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context) self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context)
self._fake_snapshot_path = (self._fake_volume_path + '.' self._fake_snapshot_path = (self._fake_volume_path + '.' +
+ self._fake_snapshot.id) self._fake_snapshot.id)
self._fake_snapshot.volume = self._fake_volume self._fake_snapshot.volume = self._fake_volume
@ddt.data({'current_state': 'in-use', @ddt.data({'current_state': 'in-use',
@ -718,9 +718,7 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
@mock.patch('json.dump') @mock.patch('json.dump')
@mock.patch('cinder.volume.drivers.remotefs.open') @mock.patch('cinder.volume.drivers.remotefs.open')
@mock.patch('os.path.exists') @mock.patch('os.path.exists')
@mock.patch('cinder.privsep.fs.truncate')
def test_write_info_file(self, def test_write_info_file(self,
mock_truncate,
mock_os_path_exists, mock_os_path_exists,
mock_open, mock_open,
mock_json_dump, mock_json_dump,
@ -743,8 +741,9 @@ class RemoteFsSnapDriverTestCase(test.TestCase):
self._driver._execute.assert_not_called() self._driver._execute.assert_not_called()
self._driver._set_rw_permissions.assert_not_called() self._driver._set_rw_permissions.assert_not_called()
else: else:
mock_truncate.assert_called_once_with( self._driver._execute.assert_called_once_with(
0, fake_info_path) 'truncate', "-s0", fake_info_path,
run_as_root=self._driver._execute_as_root)
self._driver._set_rw_permissions.assert_called_once_with( self._driver._set_rw_permissions.assert_called_once_with(
fake_info_path) fake_info_path)
@ -869,8 +868,8 @@ class RevertToSnapshotMixinTestCase(test.TestCase):
self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT, self._fake_volume_path = os.path.join(self._FAKE_MNT_POINT,
self._fake_volume.name) self._fake_volume.name)
self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context) self._fake_snapshot = fake_snapshot.fake_snapshot_obj(self.context)
self._fake_snapshot_path = (self._fake_volume_path + '.' self._fake_snapshot_path = (self._fake_volume_path + '.' +
+ self._fake_snapshot.id) self._fake_snapshot.id)
self._fake_snapshot_name = os.path.basename( self._fake_snapshot_name = os.path.basename(
self._fake_snapshot_path) self._fake_snapshot_path)
self._fake_snapshot.volume = self._fake_volume self._fake_snapshot.volume = self._fake_volume

View File

@ -162,9 +162,8 @@ class VeritasCNFSDriverTestCase(test.TestCase):
@mock.patch.object(cnfs.VeritasCNFSDriver, '_do_clone_volume') @mock.patch.object(cnfs.VeritasCNFSDriver, '_do_clone_volume')
@mock.patch.object(cnfs.VeritasCNFSDriver, 'local_path') @mock.patch.object(cnfs.VeritasCNFSDriver, 'local_path')
@mock.patch('cinder.privsep.fs.truncate') def test_create_volume_from_snapshot_greater_size(self, m_local_path,
def test_create_volume_from_snapshot_greater_size( m_do_clone_volume):
self, mock_truncate, m_local_path, m_do_clone_volume):
"""test create volume from snapshot with greater volume size""" """test create volume from snapshot with greater volume size"""
drv = self.driver drv = self.driver
volume = fake_volume.fake_volume_obj(self.context) volume = fake_volume.fake_volume_obj(self.context)

View File

@ -34,7 +34,6 @@ from cinder.i18n import _
from cinder.image import image_utils from cinder.image import image_utils
from cinder import interface from cinder import interface
from cinder.objects import fields from cinder.objects import fields
import cinder.privsep.fs
from cinder import utils from cinder import utils
from cinder.volume import configuration from cinder.volume import configuration
from cinder.volume import driver from cinder.volume import driver
@ -489,7 +488,7 @@ class GPFSDriver(driver.CloneableImageVD,
"""Creates file with 0 disk usage.""" """Creates file with 0 disk usage."""
sizestr = _sizestr(size) sizestr = _sizestr(size)
cinder.privsep.fs.truncate(sizestr, path) self.gpfs_execute('truncate', '-s', sizestr, path)
def _allocate_file_blocks(self, path, size): def _allocate_file_blocks(self, path, size):
"""Preallocate file blocks by writing zeros.""" """Preallocate file blocks by writing zeros."""

View File

@ -24,7 +24,6 @@ from cinder import db
from cinder import exception from cinder import exception
from cinder.i18n import _ from cinder.i18n import _
from cinder import interface from cinder import interface
import cinder.privsep.fs
from cinder.volume.drivers.nexenta.ns5 import jsonrpc from cinder.volume.drivers.nexenta.ns5 import jsonrpc
from cinder.volume.drivers.nexenta import options from cinder.volume.drivers.nexenta import options
from cinder.volume.drivers.nexenta import utils from cinder.volume.drivers.nexenta import utils
@ -242,12 +241,13 @@ class NexentaNfsDriver(nfs.NfsDriver):
LOG.info('Extending volume: %(id)s New size: %(size)s GB', LOG.info('Extending volume: %(id)s New size: %(size)s GB',
{'id': volume['id'], 'size': new_size}) {'id': volume['id'], 'size': new_size})
if self.sparsed_volumes: if self.sparsed_volumes:
cinder.privsep.fs.truncate('%sG' % new_size, self._execute('truncate', '-s', '%sG' % new_size,
self.local_path(volume)) self.local_path(volume),
run_as_root=self._execute_as_root)
else: else:
block_size_mb = 1 block_size_mb = 1
block_count = ((new_size - volume['size']) * units.Gi block_count = ((new_size - volume['size']) * units.Gi //
// (block_size_mb * units.Mi)) (block_size_mb * units.Mi))
self._execute( self._execute(
'dd', 'if=/dev/zero', 'dd', 'if=/dev/zero',
'seek=%d' % (volume['size'] * units.Gi / block_size_mb), 'seek=%d' % (volume['size'] * units.Gi / block_size_mb),

View File

@ -38,7 +38,6 @@ from cinder import exception
from cinder.i18n import _ from cinder.i18n import _
from cinder.image import image_utils from cinder.image import image_utils
from cinder.objects import fields from cinder.objects import fields
import cinder.privsep.fs
from cinder import utils from cinder import utils
from cinder.volume import configuration from cinder.volume import configuration
from cinder.volume import driver from cinder.volume import driver
@ -380,7 +379,8 @@ class RemoteFSDriver(driver.BaseVD):
def _create_sparsed_file(self, path, size): def _create_sparsed_file(self, path, size):
"""Creates a sparse file of a given size in GiB.""" """Creates a sparse file of a given size in GiB."""
cinder.privsep.fs.truncate('%sG' % size, path) self._execute('truncate', '-s', '%sG' % size,
path, run_as_root=self._execute_as_root)
def _create_regular_file(self, path, size): def _create_regular_file(self, path, size):
"""Creates a regular file of given size in GiB.""" """Creates a regular file of given size in GiB."""
@ -753,7 +753,8 @@ class RemoteFSSnapDriverBase(RemoteFSDriver):
if not (os.path.exists(info_path) or os.name == 'nt'): if not (os.path.exists(info_path) or os.name == 'nt'):
# We're not managing file permissions on Windows. # We're not managing file permissions on Windows.
# Plus, 'truncate' is not available. # Plus, 'truncate' is not available.
cinder.privsep.fs.truncate(0, info_path) self._execute('truncate', "-s0", info_path,
run_as_root=self._execute_as_root)
self._set_rw_permissions(info_path) self._set_rw_permissions(info_path)
with open(info_path, 'w') as f: with open(info_path, 'w') as f:

View File

@ -21,7 +21,6 @@ from oslo_utils import excutils
from cinder import exception from cinder import exception
from cinder.i18n import _ from cinder.i18n import _
from cinder import interface from cinder import interface
import cinder.privsep.fs
import cinder.privsep.path import cinder.privsep.path
from cinder.volume.drivers import nfs from cinder.volume.drivers import nfs
@ -173,7 +172,7 @@ class VeritasCNFSDriver(nfs.NfsDriver):
def extend_volume(self, volume, size): def extend_volume(self, volume, size):
"""Extend the volume to new size""" """Extend the volume to new size"""
path = self.local_path(volume) path = self.local_path(volume)
cinder.privsep.fs.truncate('%sG' % size, path) self._execute('truncate', '-s', '%sG' % size, path, run_as_root=True)
LOG.debug("VeritasNFSDriver: extend_volume volume_id = %s", volume.id) LOG.debug("VeritasNFSDriver: extend_volume volume_id = %s", volume.id)
def _update_volume_stats(self): def _update_volume_stats(self):

View File

@ -86,6 +86,7 @@ stat: CommandFilter, stat, root
mount: CommandFilter, mount, root mount: CommandFilter, mount, root
df: CommandFilter, df, root df: CommandFilter, df, root
du: CommandFilter, du, root du: CommandFilter, du, root
truncate: CommandFilter, truncate, root
chmod: CommandFilter, chmod, root chmod: CommandFilter, chmod, root
rm: CommandFilter, rm, root rm: CommandFilter, rm, root