From cdb9fe351d9491ad4b5495a5a122430e851ba5b4 Mon Sep 17 00:00:00 2001 From: Andrew Bonney Date: Tue, 1 Dec 2020 08:26:27 +0000 Subject: [PATCH] Remove run_as_root which fails without root_helper It appears that this library is typically run as the root user which shouldn't require 'run_as_root'. When running as an unprivileged user the required permissions can be granted by specifying 'AmbientCapabilities = CAP_NET_ADMIN' in the service, rather than 'CapabilityBoundingSet'. An alternative approach would be to specify a 'root_helper' or to switch to oslo.privsep, but these don't fully solve the problem as the 'pyroute2' library also requires 'CAP_NET_ADMIN'. Closes-Bug: #1852105 Change-Id: I9d0942f1cfc06cc3a7585683a030516096297767 --- kuryr/lib/binding/drivers/hw_veb.py | 1 - kuryr/lib/binding/drivers/veth.py | 5 ++--- kuryr/tests/unit/binding/drivers/test_hw_veb.py | 2 -- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/kuryr/lib/binding/drivers/hw_veb.py b/kuryr/lib/binding/drivers/hw_veb.py index 7188ac89..7a364737 100644 --- a/kuryr/lib/binding/drivers/hw_veb.py +++ b/kuryr/lib/binding/drivers/hw_veb.py @@ -70,5 +70,4 @@ def _set_vf_interface_vlan(pf_ifname, vf_num, mac_addr, vlan=0): 'vf', vf_num, 'mac', mac_addr, 'vlan', vlan, - run_as_root=True, check_exit_code=exit_code) diff --git a/kuryr/lib/binding/drivers/veth.py b/kuryr/lib/binding/drivers/veth.py index d0f56e34..078546c8 100644 --- a/kuryr/lib/binding/drivers/veth.py +++ b/kuryr/lib/binding/drivers/veth.py @@ -114,7 +114,7 @@ def port_unbind(endpoint_id, neutron_port, **kwargs): network_id = neutron_port['network_id'] stdout, stderr = processutils.execute( unbinding_exec_path, constants.UNBINDING_SUBCOMMAND, port_id, ifname, - endpoint_id, mac_address, vif_details, network_id, run_as_root=True) + endpoint_id, mac_address, vif_details, network_id) try: utils.remove_device(ifname) except pyroute2.NetlinkError: @@ -148,6 +148,5 @@ def _configure_host_iface(ifname, endpoint_id, port_id, net_id, project_id, stdout, stderr = processutils.execute( binding_exec_path, constants.BINDING_SUBCOMMAND, port_id, ifname, endpoint_id, hwaddr, net_id, project_id, - lib_utils.string_mappings(details), - run_as_root=True) + lib_utils.string_mappings(details)) return stdout, stderr diff --git a/kuryr/tests/unit/binding/drivers/test_hw_veb.py b/kuryr/tests/unit/binding/drivers/test_hw_veb.py index 48256095..a7898723 100644 --- a/kuryr/tests/unit/binding/drivers/test_hw_veb.py +++ b/kuryr/tests/unit/binding/drivers/test_hw_veb.py @@ -63,7 +63,6 @@ class TestHwVebDriver(base.TestCase): 'vf', fake_vf_num, 'mac', fake_port['port']['mac_address'], 'vlan', fake_vlan_id, - run_as_root=True, check_exit_code=[0, 2, 254]) @mock.patch('oslo_concurrency.processutils.execute', @@ -91,5 +90,4 @@ class TestHwVebDriver(base.TestCase): 'vf', fake_vf_num, 'mac', fake_port['port']['mac_address'], 'vlan', 0, - run_as_root=True, check_exit_code=[0, 2, 254])