Do not copy /sbin/ip to /usr/bin/monasa-agent-ip

This patch removes the code that does the copy of /sbin/ip to
/usr/bin/monasca-agent-ip. There is a limitation with /sbin/ip
that limits copying it to a new name that is longer than
2 characters. The error is:

./monasca-agent-ip a
Object "nasca-agent-ip" is unknown, try "ip help".

As this is not working on RHEL,SLES, or Ubuntu this code
should be removed.

Change-Id: I439be00070eb1cf16416325f23a86fc7cd518acc
Story: 2001593
Task: 6543

docs/Libvirt.md

@@ -336,17 +336,19 @@ It is helpful for determining, for example, if a VM is in a panicked or halted s
 2. Neutron L2 plugin with a tenant network type of `vlan` or `vxlan` (other types may be supported, but have not been tested).
 3. The `python-neutronclient` library and its dependencies installed and available to the Monasca Agent
 4. Each VM needs an appropriate security group configuration to allow ICMP
+5. A sudoers entry for the monasca-agent user needs to be created which allows access to /bin/ip. For example:
+
+Defaults:monasca-agent !requiretty
+Defaults:monasca-agent  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+monasca-agent ALL = (root) NOPASSWD:/bin/ip
 
 #### Detection
 The monasca-setup detection plugin for libvirt performs the following tests and tasks before configuring ping checks:
 
 1. Ability to determine the name of the user under which monasca-agent processes run (eg, `mon-agent`)
 2. Availability of the `python-neutronclient` library (by attempting to import `client` from `neutronclient.v2_0`)
-3. A separate enhanced-capabilities `ip` command exists:
+3. Existance of /bin/ip. A separate enhanced-capabilities `ip` command exists:
-   a. The detection plugin copies `/sbin/ip` to `sys.path[0]/monasca-agent-ip` (see the [configuration](#configuration) section above for an example)
-   b. Permissions on the copy are changed to the `mon-agent` user (or whichever Agent user is configured), mode 0700.
-   c. The `/sbin/setcap` command is called, applying `cap_sys_admin+ep` to the copy, as `cap_sys_admin` is the only capability which provides `setns`, necessary to execute commands in a separate namespace.
-   d. The detection plugin confirms that the enhanced capabilities were successfully applied
 4. Existence of a ping command; detection will try `/usr/bin/fping`, `/sbin/fping`, and `/bin/ping` in that order.  `fping` is preferred because it allows for sub-second timeouts, but is not installed by default in some Linux distributions.
 
 If any of the above requirements fail, a WARN-level message is output, describing the problem.  The libvirt plugin will continue to function without these requirements, but ping checks will be disabled.

monasca_setup/detection/plugins/libvirt.py

@@ -16,9 +16,6 @@
 import logging
 import os
 import pwd
-from shutil import copy
-import subprocess
-import sys
 
 from oslo_config import cfg
 from oslo_utils import importutils
@@ -49,7 +46,7 @@ ping_options = [["/usr/bin/fping", "-n", "-c1", "-t250", "-q"],
                 ["/bin/ping", "-n", "-c1", "-w1", "-q"],
                 ["/usr/bin/ping", "-n", "-c1", "-w1", "-q"]]
 # Path to 'ip' command (needed to execute ping within network namespaces)
-ip_cmd = "/sbin/ip"
+ip_cmd = "sudo /bin/ip"
 # How many ping commands to run concurrently
 default_max_ping_concurrency = 8
 # Disk metrics can be collected at a larger interval than other vm metrics
@@ -147,7 +144,6 @@ class Libvirt(plugin.Plugin):
             log.warn("\tUnable to determine agent user. Skipping ping checks.")
             return
 
-        try:
         client = importutils.try_import('neutronclient.v2_0.client',
                                         False)
         if not client:
@@ -156,32 +152,12 @@ class Libvirt(plugin.Plugin):
                 'required for ping checks.')
             return
 
-            # TODO(dmllr) Find a better rundir or avoid copying the binary
-            # alltogether. see https://storyboard.openstack.org/#!/story/2001593
-            monasca_rundir = sys.path[0]
-            monasca_ip = "{0}/monasca-agent-ip".format(monasca_rundir)
-            # Copy system 'ip' command to monasca_rundir
-            copy(ip_cmd, monasca_ip)
-
-            # Restrict permissions on the local 'ip' command
-            os.chown(monasca_ip, *self._get_user_uid_gid(self._agent_user))
-            os.chmod(monasca_ip, 0o700)
-
-            # Set capabilities on 'ip' which will allow
-            # self.agent_user to exec commands in namespaces
-            setcap_cmd = ['/sbin/setcap', 'cap_sys_admin+ep',
-                          monasca_ip]
-            subprocess.Popen(setcap_cmd, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-            # Verify that the capabilities were set
-            setcap_cmd.extend(['-v', '-q'])
-            subprocess.check_call(setcap_cmd)
         # Look for the best ping command
         for ping_cmd in ping_options:
             if os.path.isfile(ping_cmd[0]):
                 init_config[
                     'ping_check'] = "{0} netns exec NAMESPACE {1}".format(
-                            monasca_ip,
+                        ip_cmd,
                         ' '.join(ping_cmd))
                 log.info(
                     "\tEnabling ping checks using {0}".format(ping_cmd[0]))
@@ -189,14 +165,6 @@ class Libvirt(plugin.Plugin):
         if init_config['ping_check'] is False:
             log.warn('\tUnable to find suitable ping command, '
                      'disabling ping checks.')
-        except IOError:
-            log.warn('\tUnable to copy {0}, '
-                     'ping checks disabled.'.format(ip_cmd))
-            pass
-        except (subprocess.CalledProcessError, OSError):
-            log.warn('\tUnable to set up ping checks, '
-                     'setcap failed ({0})'.format(' '.join(setcap_cmd)))
-            pass
 
     def dependencies_installed(self):
         return importutils.try_import('novaclient.client', False)