Remove "ovs-vsctl" support from rootwrap

This command is executed from scripts and in sanity checks, but not from any Neutron service. Change-Id: If82e89bf7b233559513ab44eadebb445648f0684 Story: #2007686 Task: #41282
2020-11-18 16:58:07 +00:00 · 2020-11-18 16:58:07 +00:00 · 55f5c78053
parent b916ac3b73
commit 55f5c78053
8 changed files with 58 additions and 10 deletions
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@ -18,7 +18,6 @@ kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
 # dnsmasq kill script filter
 kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root

-ovs-vsctl: CommandFilter, ovs-vsctl, root
 mm-ctl: CommandFilter, mm-ctl, root

 # haproxy
--- a/etc/neutron/rootwrap.d/l3.filters
+++ b/etc/neutron/rootwrap.d/l3.filters
@ -40,9 +40,6 @@ l3_tc_add_filter_egress:  RegExpFilter, tc, root, tc, filter, add, dev, .+, pare
 # For ip monitor
 kill_ip_monitor: KillFilter, root, ip, -9

-# ovs_lib (if OVSInterfaceDriver is used)
-ovs-vsctl: CommandFilter, ovs-vsctl, root
-
 # iptables_manager
 iptables-save: CommandFilter, iptables-save, root
 iptables-restore: CommandFilter, iptables-restore, root
--- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters
+++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters
@ -9,9 +9,6 @@
 [Filters]

 # openvswitch-agent
-# unclear whether both variants are necessary, but I'm transliterating
-# from the old mechanism
-ovs-vsctl: CommandFilter, ovs-vsctl, root
 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
--- a/neutron/agent/ovsdb/native/helpers.py
+++ b/neutron/agent/ovsdb/native/helpers.py
@ -15,18 +15,17 @@
 import functools

 from oslo_config import cfg
-from ovsdbapp.schema.open_vswitch import helpers

-from neutron.agent.common import utils
 from neutron.conf.agent import ovs_conf as agent_ovs_conf
 from neutron.conf.plugins.ml2.drivers import ovs_conf as ml2_ovs_conf
+from neutron.privileged.agent.ovsdb.native import helpers as priv_helpers


 agent_ovs_conf.register_ovs_agent_opts(cfg.CONF)
 ml2_ovs_conf.register_ovs_opts(cfg=cfg.CONF)

 enable_connection_uri = functools.partial(
-    helpers.enable_connection_uri, execute=utils.execute, run_as_root=True,
+    priv_helpers.enable_connection_uri,
    log_fail_as_error=False, check_exit_code=False,
    timeout=cfg.CONF.OVS.ovsdb_timeout,
    inactivity_probe=cfg.CONF.OVS.of_inactivity_probe * 1000)
--- a/neutron/privileged/init.py
+++ b/neutron/privileged/init.py
@ -37,3 +37,12 @@ dhcp_release_cmd = priv_context.PrivContext(
    capabilities=[caps.CAP_SYS_ADMIN,
                  caps.CAP_NET_ADMIN]
 )
+
+
+ovs_vsctl_cmd = priv_context.PrivContext(
+    __name__,
+    cfg_section='privsep_ovs_vsctl',
+    pypath=__name__ + '.ovs_vsctl_cmd',
+    capabilities=[caps.CAP_SYS_ADMIN,
+                  caps.CAP_NET_ADMIN]
+)
--- a/neutron/privileged/agent/ovsdb/init.py
+++ b/neutron/privileged/agent/ovsdb/init.py
--- a/neutron/privileged/agent/ovsdb/native/init.py
+++ b/neutron/privileged/agent/ovsdb/native/init.py
--- a/neutron/privileged/agent/ovsdb/native/helpers.py
+++ b/neutron/privileged/agent/ovsdb/native/helpers.py
@ -0,0 +1,47 @@
+# Copyright (c) 2020 Red Hat, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_concurrency import processutils
+
+from neutron import privileged
+
+
+def _connection_to_manager_uri(conn_uri):
+    proto, addr = conn_uri.split(':', 1)
+    if ':' in addr:
+        ip, port = addr.split(':', 1)
+        return 'p%s:%s:%s' % (proto, port, ip)
+    return 'p%s:%s' % (proto, addr)
+
+
+@privileged.ovs_vsctl_cmd.entrypoint
+def enable_connection_uri(conn_uri, log_fail_as_error=False,
+                          check_exit_code=False, **kwargs):
+    timeout = kwargs.pop('timeout', 5)
+    # NOTE(ralonsoh): this method has been transcripted from ovsdbapp library:
+    # https://github.com/openstack/ovsdbapp/blob/stable/victoria/ovsdbapp/
+    #   schema/open_vswitch/helpers.py
+    # NOTE(ralonsoh): the command timeout , "timeout", is defined in seconds;
+    # the probe timeout is defined in milliseconds. If "timeout" is used, must
+    # be converted to ms.
+    probe = (timeout * 1000 if kwargs.pop('set_timeout', None) else
+             kwargs.pop('inactivity_probe', None))
+    man_uri = _connection_to_manager_uri(conn_uri)
+    cmd = ['ovs-vsctl', '--timeout=%d' % timeout, '--id=@manager',
+           '--', 'create', 'Manager', 'target="%s"' % man_uri,
+           '--', 'add', 'Open_vSwitch', '.', 'manager_options', '@manager']
+    if probe is not None:
+        cmd += ['--', 'set', 'Manager', man_uri, 'inactivity_probe=%s' % probe]
+    return processutils.execute(*cmd, log_errors=log_fail_as_error,
+                                check_exit_code=check_exit_code)