Browse Source

Remove rootwrap execution (5)

Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.

Story: #2007686
Task: #41558

Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
changes/10/774110/8
Rodolfo Alonso Hernandez 1 year ago
parent
commit
5a419cbc84
  1. 7
      etc/neutron/rootwrap.d/debug.filters
  2. 15
      etc/neutron/rootwrap.d/iptables-firewall.filters
  3. 13
      etc/neutron/rootwrap.d/l3.filters
  4. 7
      etc/neutron/rootwrap.d/linuxbridge-plugin.filters
  5. 3
      etc/neutron/rootwrap.d/openvswitch-plugin.filters
  6. 2
      neutron/agent/linux/ip_conntrack.py
  7. 2
      neutron/agent/linux/ip_lib.py
  8. 2
      neutron/agent/linux/ipset_manager.py
  9. 6
      neutron/agent/linux/iptables_firewall.py
  10. 10
      neutron/tests/common/net_helpers.py
  11. 14
      neutron/tests/functional/agent/linux/test_netlink_lib.py
  12. 2
      neutron/tests/functional/agent/test_firewall.py
  13. 6
      neutron/tests/unit/agent/linux/test_ip_lib.py
  14. 35
      neutron/tests/unit/agent/linux/test_ipset_manager.py
  15. 11
      neutron/tests/unit/agent/linux/test_iptables_firewall.py

7
etc/neutron/rootwrap.d/debug.filters

@ -8,13 +8,6 @@
[Filters]
# This is needed because we should ping
# from inside a namespace which requires root
# _alt variants allow to match -c and -w in any order
# (used by NeutronDebugAgent.ping_all)
ping: CommandFilter, ping, root
ping6: CommandFilter, ping6, root
# "sleep" command, only for testing
sleep: RegExpFilter, sleep, root, sleep, \d+
kill_sleep: KillFilter, root, sleep, -9

15
etc/neutron/rootwrap.d/iptables-firewall.filters

@ -1,15 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root
# neutron/agent/linux/ip_conntrack.py
conntrack: CommandFilter, conntrack, root

13
etc/neutron/rootwrap.d/l3.filters

@ -8,11 +8,7 @@
[Filters]
# arping
arping: CommandFilter, arping, root
# l3_agent
sysctl: CommandFilter, sysctl, root
route: CommandFilter, route, root
radvd: CommandFilter, radvd, root
@ -30,12 +26,6 @@ kill_radvd_script: CommandFilter, radvd-kill, root
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# l3_tc_lib
l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1
l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
@ -51,9 +41,6 @@ kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
# keepalived kill script filter
kill_keepalived_script: CommandFilter, keepalived-kill, root
# l3 agent to delete floatingip's conntrack state
conntrack: CommandFilter, conntrack, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
# The following filters are used to kill the keepalived state change monitor.

7
etc/neutron/rootwrap.d/linuxbridge-plugin.filters

@ -8,13 +8,6 @@
[Filters]
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
brctl: CommandFilter, brctl, root
bridge: CommandFilter, bridge, root
sysctl: CommandFilter, sysctl, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root

3
etc/neutron/rootwrap.d/openvswitch-plugin.filters

@ -17,6 +17,3 @@ ovsdb-client: CommandFilter, ovsdb-client, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# needed for FDB extension
bridge: CommandFilter, bridge, root

2
neutron/agent/linux/ip_conntrack.py

@ -163,7 +163,7 @@ class IpConntrackManager(object):
rule, remote_ip)
for cmd in conntrack_cmds:
try:
self.execute(list(cmd), run_as_root=True,
self.execute(list(cmd), run_as_root=True, privsep_exec=True,
check_exit_code=True,
extra_ok_codes=[1])
except RuntimeError:

2
neutron/agent/linux/ip_lib.py

@ -135,7 +135,7 @@ class SubProcessBase(object):
opt_list = ['-%s' % o for o in options]
ip_cmd = add_namespace_to_cmd(['ip'], namespace)
cmd = ip_cmd + opt_list + [command] + list(args)
return utils.execute(cmd, run_as_root=run_as_root,
return utils.execute(cmd, run_as_root=run_as_root, privsep_exec=True,
log_fail_as_error=self.log_fail_as_error)
def set_log_fail_as_error(self, fail_with_error):

2
neutron/agent/linux/ipset_manager.py

@ -148,7 +148,7 @@ class IpsetManager(object):
cmd_ns.extend(['ip', 'netns', 'exec', self.namespace])
cmd_ns.extend(cmd)
self.execute(cmd_ns, run_as_root=True, process_input=input,
check_exit_code=fail_on_errors)
check_exit_code=fail_on_errors, privsep_exec=True)
def _get_new_set_ips(self, set_name, expected_ips):
new_member_ips = (set(expected_ips) -

6
neutron/agent/linux/iptables_firewall.py

@ -102,7 +102,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
log_warning = False
if not a_utils.execute(
['sysctl', '-N', 'net.bridge'], run_as_root=True,
log_fail_as_error=False, check_exit_code=False):
log_fail_as_error=False, check_exit_code=False,
privsep_exec=True):
LOG.warning('Kernel module br_netfilter is not loaded.')
log_warning = True
if not log_warning:
@ -110,7 +111,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
key = 'net.bridge.bridge-nf-call-%stables' % proto
enabled = a_utils.execute(
['sysctl', '-b', key], run_as_root=True,
log_fail_as_error=False, check_exit_code=False)
log_fail_as_error=False, check_exit_code=False,
privsep_exec=True)
if enabled == '1':
status = 'enabled'
log_method = LOG.debug

10
neutron/tests/common/net_helpers.py

@ -195,7 +195,8 @@ def _get_source_ports_from_ss_output(output):
def get_unused_port(used, start=1024, end=None):
if end is None:
port_range = utils.execute(
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True)
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True,
privsep_exec=True)
end = int(port_range.split()[0]) - 1
candidates = set(range(start, end + 1))
@ -235,11 +236,12 @@ def get_free_namespace_port(protocol, namespace=None, start=1024, end=None):
def set_local_port_range(start, end):
utils.execute(
['sysctl', '-w', 'net.ipv4.ip_local_port_range=%d %d' % (start, end)],
run_as_root=True)
utils.execute(['sysctl', '-p'], run_as_root=True)
run_as_root=True, privsep_exec=True)
utils.execute(['sysctl', '-p'], run_as_root=True, privsep_exec=True)
# verify
port_range = utils.execute(
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True)
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True,
privsep_exec=True)
assert int(port_range.split()[0]) == start
assert int(port_range.split()[1]) == end

14
neutron/tests/functional/agent/linux/test_netlink_lib.py

@ -45,10 +45,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase):
for cmd in conntrack_cmds:
try:
linux_utils.execute(cmd,
run_as_root=True,
check_exit_code=True,
extra_ok_codes=[1])
linux_utils.execute(
cmd, run_as_root=True, check_exit_code=True,
privsep_exec=True, extra_ok_codes=[1])
except RuntimeError:
raise Exception('Error while creating entry')
@ -66,10 +65,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase):
while start <= end:
cmd = ['conntrack', '-L', '-w', start]
try:
current_entries = linux_utils.execute(cmd,
run_as_root=True,
check_exit_code=True,
extra_ok_codes=[1])
current_entries = linux_utils.execute(
cmd, run_as_root=True, check_exit_code=True,
privsep_exec=True, extra_ok_codes=[1])
except RuntimeError:
raise Exception('Error while listing entries')
if not current_entries:

2
neutron/tests/functional/agent/test_firewall.py

@ -621,7 +621,7 @@ class FirewallTestCase(BaseFirewallTestCase):
# destination net unreachable
self.tester._peer.execute([
'sysctl', '-w', 'net.ipv4.conf.%s.forwarding=1' %
self.tester._peer.port.name])
self.tester._peer.port.name], privsep_exec=True)
self.tester.set_vm_default_gateway(self.tester.peer_ip_address)
vm_sg_rules = [{'ethertype': 'IPv4', 'direction': 'egress',
'protocol': 'icmp'}]

6
neutron/tests/unit/agent/linux/test_ip_lib.py

@ -112,6 +112,7 @@ class TestSubProcessBase(base.BaseTestCase):
self.execute.assert_called_once_with(['ip', '-o', 'link', 'list'],
run_as_root=True,
privsep_exec=True,
log_fail_as_error=True)
def test_execute_wrapper_int_options(self):
@ -120,6 +121,7 @@ class TestSubProcessBase(base.BaseTestCase):
self.execute.assert_called_once_with(['ip', '-4', 'link', 'list'],
run_as_root=False,
privsep_exec=True,
log_fail_as_error=True)
def test_execute_wrapper_no_options(self):
@ -128,6 +130,7 @@ class TestSubProcessBase(base.BaseTestCase):
self.execute.assert_called_once_with(['ip', 'link', 'list'],
run_as_root=False,
privsep_exec=True,
log_fail_as_error=True)
def test_run_no_namespace(self):
@ -135,6 +138,7 @@ class TestSubProcessBase(base.BaseTestCase):
base._run([], 'link', ('list',))
self.execute.assert_called_once_with(['ip', 'link', 'list'],
run_as_root=False,
privsep_exec=True,
log_fail_as_error=True)
def test_run_namespace(self):
@ -143,6 +147,7 @@ class TestSubProcessBase(base.BaseTestCase):
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
'ip', 'link', 'list'],
run_as_root=True,
privsep_exec=True,
log_fail_as_error=True)
def test_as_root_namespace(self):
@ -151,6 +156,7 @@ class TestSubProcessBase(base.BaseTestCase):
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
'ip', 'link', 'list'],
run_as_root=True,
privsep_exec=True,
log_fail_as_error=True)

35
neutron/tests/unit/agent/linux/test_ipset_manager.py

@ -70,49 +70,42 @@ class BaseIpsetManagerTest(base.BaseTestCase):
input = '\n'.join(temp_input)
self.expected_calls.extend([
mock.call(['ipset', 'restore', '-exist'],
process_input=input,
run_as_root=True,
check_exit_code=True),
process_input=input, run_as_root=True,
check_exit_code=True, privsep_exec=True),
mock.call(['ipset', 'swap', TEST_SET_NAME_NEW, TEST_SET_NAME],
process_input=None,
run_as_root=True,
check_exit_code=True),
process_input=None, run_as_root=True,
check_exit_code=True, privsep_exec=True),
mock.call(['ipset', 'destroy', TEST_SET_NAME_NEW],
process_input=None,
run_as_root=True,
check_exit_code=False)])
process_input=None, run_as_root=True,
check_exit_code=False, privsep_exec=True)])
def expect_add(self, addresses):
self.expected_calls.extend(
mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
process_input=None,
run_as_root=True,
check_exit_code=True)
process_input=None, run_as_root=True,
check_exit_code=True, privsep_exec=True)
for ip in self.ipset._sanitize_addresses(addresses))
def expect_del(self, addresses):
self.expected_calls.extend(
mock.call(['ipset', 'del', TEST_SET_NAME, ip],
process_input=None,
run_as_root=True,
check_exit_code=False)
process_input=None, run_as_root=True,
check_exit_code=False, privsep_exec=True)
for ip in self.ipset._sanitize_addresses(addresses))
def expect_create(self):
self.expected_calls.append(
mock.call(['ipset', 'create', '-exist', TEST_SET_NAME,
'hash:net', 'family', 'inet'],
process_input=None,
run_as_root=True,
check_exit_code=True))
process_input=None, run_as_root=True,
check_exit_code=True, privsep_exec=True))
def expect_destroy(self):
self.expected_calls.append(
mock.call(['ipset', 'destroy', TEST_SET_NAME],
process_input=None,
run_as_root=True,
check_exit_code=False))
process_input=None, run_as_root=True,
check_exit_code=False, privsep_exec=True))
def add_first_ip(self):
self.expect_set([FAKE_IPS[0]])

11
neutron/tests/unit/agent/linux/test_iptables_firewall.py

@ -1418,8 +1418,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
cmd.extend(['-w', ct_zone])
calls = [
mock.call(cmd, run_as_root=True, check_exit_code=True,
extra_ok_codes=[1])]
mock.call(cmd, run_as_root=True, privsep_exec=True,
check_exit_code=True, extra_ok_codes=[1])]
self.utils_exec.assert_has_calls(calls)
def test_remove_conntrack_entries_for_delete_rule_ipv4(self):
@ -1472,8 +1472,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
if ct_zone:
cmd.extend(['-w', ct_zone])
expected_calls.append(
mock.call(cmd, run_as_root=True, check_exit_code=True,
extra_ok_codes=[1]))
mock.call(cmd, run_as_root=True, privsep_exec=True,
check_exit_code=True, extra_ok_codes=[1]))
return expected_calls
def _test_remove_conntrack_entries_for_port_sec_group_change(self,
@ -1578,7 +1578,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
conntrack_cmd.extend([remote_ip_direction, ips[ethertype][1]])
calls.append(mock.call(conntrack_cmd,
run_as_root=True, check_exit_code=True,
run_as_root=True, privsep_exec=True,
check_exit_code=True,
extra_ok_codes=[1]))
self.utils_exec.assert_has_calls(calls)

Loading…
Cancel
Save