Remove rootwrap execution (5)
Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates some missing execution methods present in the code and removes unneeded rootwrap filters. Story: #2007686 Task: #41558 Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
This commit is contained in:
Rodolfo Alonso Hernandez
parent
90309cf6e2
commit
5a419cbc84
@ -8,13 +8,6 @@
|
|||||||
|
|
||||||
[Filters]
|
[Filters]
|
||||||
|
|
||||||
# This is needed because we should ping
|
|
||||||
# from inside a namespace which requires root
|
|
||||||
# _alt variants allow to match -c and -w in any order
|
|
||||||
# (used by NeutronDebugAgent.ping_all)
|
|
||||||
ping: CommandFilter, ping, root
|
|
||||||
ping6: CommandFilter, ping6, root
|
|
||||||
|
|
||||||
# "sleep" command, only for testing
|
# "sleep" command, only for testing
|
||||||
sleep: RegExpFilter, sleep, root, sleep, \d+
|
sleep: RegExpFilter, sleep, root, sleep, \d+
|
||||||
kill_sleep: KillFilter, root, sleep, -9
|
kill_sleep: KillFilter, root, sleep, -9
|
||||||
|
|||||||
@ -1,15 +0,0 @@
|
|||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
# neutron/agent/linux/iptables_firewall.py
|
|
||||||
sysctl: CommandFilter, sysctl, root
|
|
||||||
|
|
||||||
# neutron/agent/linux/ip_conntrack.py
|
|
||||||
conntrack: CommandFilter, conntrack, root
|
|
||||||
@ -8,11 +8,7 @@
|
|||||||
|
|
||||||
[Filters]
|
[Filters]
|
||||||
|
|
||||||
# arping
|
|
||||||
arping: CommandFilter, arping, root
|
|
||||||
|
|
||||||
# l3_agent
|
# l3_agent
|
||||||
sysctl: CommandFilter, sysctl, root
|
|
||||||
route: CommandFilter, route, root
|
route: CommandFilter, route, root
|
||||||
radvd: CommandFilter, radvd, root
|
radvd: CommandFilter, radvd, root
|
||||||
|
|
||||||
@ -30,12 +26,6 @@ kill_radvd_script: CommandFilter, radvd-kill, root
|
|||||||
ip: IpFilter, ip, root
|
ip: IpFilter, ip, root
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
ip_exec: IpNetnsExecFilter, ip, root
|
||||||
|
|
||||||
# l3_tc_lib
|
|
||||||
l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
|
|
||||||
l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
|
|
||||||
l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1
|
|
||||||
l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1
|
|
||||||
|
|
||||||
# For ip monitor
|
# For ip monitor
|
||||||
kill_ip_monitor: KillFilter, root, ip, -9
|
kill_ip_monitor: KillFilter, root, ip, -9
|
||||||
|
|
||||||
@ -51,9 +41,6 @@ kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
|
|||||||
# keepalived kill script filter
|
# keepalived kill script filter
|
||||||
kill_keepalived_script: CommandFilter, keepalived-kill, root
|
kill_keepalived_script: CommandFilter, keepalived-kill, root
|
||||||
|
|
||||||
# l3 agent to delete floatingip's conntrack state
|
|
||||||
conntrack: CommandFilter, conntrack, root
|
|
||||||
|
|
||||||
# keepalived state change monitor
|
# keepalived state change monitor
|
||||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
||||||
# The following filters are used to kill the keepalived state change monitor.
|
# The following filters are used to kill the keepalived state change monitor.
|
||||||
|
|||||||
@ -8,13 +8,6 @@
|
|||||||
|
|
||||||
[Filters]
|
[Filters]
|
||||||
|
|
||||||
# linuxbridge-agent
|
|
||||||
# unclear whether both variants are necessary, but I'm transliterating
|
|
||||||
# from the old mechanism
|
|
||||||
brctl: CommandFilter, brctl, root
|
|
||||||
bridge: CommandFilter, bridge, root
|
|
||||||
sysctl: CommandFilter, sysctl, root
|
|
||||||
|
|
||||||
# ip_lib
|
# ip_lib
|
||||||
ip: IpFilter, ip, root
|
ip: IpFilter, ip, root
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
ip_exec: IpNetnsExecFilter, ip, root
|
||||||
|
|||||||
@ -17,6 +17,3 @@ ovsdb-client: CommandFilter, ovsdb-client, root
|
|||||||
# ip_lib
|
# ip_lib
|
||||||
ip: IpFilter, ip, root
|
ip: IpFilter, ip, root
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
ip_exec: IpNetnsExecFilter, ip, root
|
||||||
|
|
||||||
# needed for FDB extension
|
|
||||||
bridge: CommandFilter, bridge, root
|
|
||||||
|
|||||||
@ -163,7 +163,7 @@ class IpConntrackManager(object):
|
|||||||
rule, remote_ip)
|
rule, remote_ip)
|
||||||
for cmd in conntrack_cmds:
|
for cmd in conntrack_cmds:
|
||||||
try:
|
try:
|
||||||
self.execute(list(cmd), run_as_root=True,
|
self.execute(list(cmd), run_as_root=True, privsep_exec=True,
|
||||||
check_exit_code=True,
|
check_exit_code=True,
|
||||||
extra_ok_codes=[1])
|
extra_ok_codes=[1])
|
||||||
except RuntimeError:
|
except RuntimeError:
|
||||||
|
|||||||
@ -135,7 +135,7 @@ class SubProcessBase(object):
|
|||||||
opt_list = ['-%s' % o for o in options]
|
opt_list = ['-%s' % o for o in options]
|
||||||
ip_cmd = add_namespace_to_cmd(['ip'], namespace)
|
ip_cmd = add_namespace_to_cmd(['ip'], namespace)
|
||||||
cmd = ip_cmd + opt_list + [command] + list(args)
|
cmd = ip_cmd + opt_list + [command] + list(args)
|
||||||
return utils.execute(cmd, run_as_root=run_as_root,
|
return utils.execute(cmd, run_as_root=run_as_root, privsep_exec=True,
|
||||||
log_fail_as_error=self.log_fail_as_error)
|
log_fail_as_error=self.log_fail_as_error)
|
||||||
|
|
||||||
def set_log_fail_as_error(self, fail_with_error):
|
def set_log_fail_as_error(self, fail_with_error):
|
||||||
|
|||||||
@ -148,7 +148,7 @@ class IpsetManager(object):
|
|||||||
cmd_ns.extend(['ip', 'netns', 'exec', self.namespace])
|
cmd_ns.extend(['ip', 'netns', 'exec', self.namespace])
|
||||||
cmd_ns.extend(cmd)
|
cmd_ns.extend(cmd)
|
||||||
self.execute(cmd_ns, run_as_root=True, process_input=input,
|
self.execute(cmd_ns, run_as_root=True, process_input=input,
|
||||||
check_exit_code=fail_on_errors)
|
check_exit_code=fail_on_errors, privsep_exec=True)
|
||||||
|
|
||||||
def _get_new_set_ips(self, set_name, expected_ips):
|
def _get_new_set_ips(self, set_name, expected_ips):
|
||||||
new_member_ips = (set(expected_ips) -
|
new_member_ips = (set(expected_ips) -
|
||||||
|
|||||||
@ -102,7 +102,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
log_warning = False
|
log_warning = False
|
||||||
if not a_utils.execute(
|
if not a_utils.execute(
|
||||||
['sysctl', '-N', 'net.bridge'], run_as_root=True,
|
['sysctl', '-N', 'net.bridge'], run_as_root=True,
|
||||||
log_fail_as_error=False, check_exit_code=False):
|
log_fail_as_error=False, check_exit_code=False,
|
||||||
|
privsep_exec=True):
|
||||||
LOG.warning('Kernel module br_netfilter is not loaded.')
|
LOG.warning('Kernel module br_netfilter is not loaded.')
|
||||||
log_warning = True
|
log_warning = True
|
||||||
if not log_warning:
|
if not log_warning:
|
||||||
@ -110,7 +111,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
key = 'net.bridge.bridge-nf-call-%stables' % proto
|
key = 'net.bridge.bridge-nf-call-%stables' % proto
|
||||||
enabled = a_utils.execute(
|
enabled = a_utils.execute(
|
||||||
['sysctl', '-b', key], run_as_root=True,
|
['sysctl', '-b', key], run_as_root=True,
|
||||||
log_fail_as_error=False, check_exit_code=False)
|
log_fail_as_error=False, check_exit_code=False,
|
||||||
|
privsep_exec=True)
|
||||||
if enabled == '1':
|
if enabled == '1':
|
||||||
status = 'enabled'
|
status = 'enabled'
|
||||||
log_method = LOG.debug
|
log_method = LOG.debug
|
||||||
|
|||||||
@ -195,7 +195,8 @@ def _get_source_ports_from_ss_output(output):
|
|||||||
def get_unused_port(used, start=1024, end=None):
|
def get_unused_port(used, start=1024, end=None):
|
||||||
if end is None:
|
if end is None:
|
||||||
port_range = utils.execute(
|
port_range = utils.execute(
|
||||||
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True)
|
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True,
|
||||||
|
privsep_exec=True)
|
||||||
end = int(port_range.split()[0]) - 1
|
end = int(port_range.split()[0]) - 1
|
||||||
|
|
||||||
candidates = set(range(start, end + 1))
|
candidates = set(range(start, end + 1))
|
||||||
@ -235,11 +236,12 @@ def get_free_namespace_port(protocol, namespace=None, start=1024, end=None):
|
|||||||
def set_local_port_range(start, end):
|
def set_local_port_range(start, end):
|
||||||
utils.execute(
|
utils.execute(
|
||||||
['sysctl', '-w', 'net.ipv4.ip_local_port_range=%d %d' % (start, end)],
|
['sysctl', '-w', 'net.ipv4.ip_local_port_range=%d %d' % (start, end)],
|
||||||
run_as_root=True)
|
run_as_root=True, privsep_exec=True)
|
||||||
utils.execute(['sysctl', '-p'], run_as_root=True)
|
utils.execute(['sysctl', '-p'], run_as_root=True, privsep_exec=True)
|
||||||
# verify
|
# verify
|
||||||
port_range = utils.execute(
|
port_range = utils.execute(
|
||||||
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True)
|
['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True,
|
||||||
|
privsep_exec=True)
|
||||||
assert int(port_range.split()[0]) == start
|
assert int(port_range.split()[0]) == start
|
||||||
assert int(port_range.split()[1]) == end
|
assert int(port_range.split()[1]) == end
|
||||||
|
|
||||||
|
|||||||
@ -45,10 +45,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase):
|
|||||||
|
|
||||||
for cmd in conntrack_cmds:
|
for cmd in conntrack_cmds:
|
||||||
try:
|
try:
|
||||||
linux_utils.execute(cmd,
|
linux_utils.execute(
|
||||||
run_as_root=True,
|
cmd, run_as_root=True, check_exit_code=True,
|
||||||
check_exit_code=True,
|
privsep_exec=True, extra_ok_codes=[1])
|
||||||
extra_ok_codes=[1])
|
|
||||||
except RuntimeError:
|
except RuntimeError:
|
||||||
raise Exception('Error while creating entry')
|
raise Exception('Error while creating entry')
|
||||||
|
|
||||||
@ -66,10 +65,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase):
|
|||||||
while start <= end:
|
while start <= end:
|
||||||
cmd = ['conntrack', '-L', '-w', start]
|
cmd = ['conntrack', '-L', '-w', start]
|
||||||
try:
|
try:
|
||||||
current_entries = linux_utils.execute(cmd,
|
current_entries = linux_utils.execute(
|
||||||
run_as_root=True,
|
cmd, run_as_root=True, check_exit_code=True,
|
||||||
check_exit_code=True,
|
privsep_exec=True, extra_ok_codes=[1])
|
||||||
extra_ok_codes=[1])
|
|
||||||
except RuntimeError:
|
except RuntimeError:
|
||||||
raise Exception('Error while listing entries')
|
raise Exception('Error while listing entries')
|
||||||
if not current_entries:
|
if not current_entries:
|
||||||
|
|||||||
@ -621,7 +621,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
# destination net unreachable
|
# destination net unreachable
|
||||||
self.tester._peer.execute([
|
self.tester._peer.execute([
|
||||||
'sysctl', '-w', 'net.ipv4.conf.%s.forwarding=1' %
|
'sysctl', '-w', 'net.ipv4.conf.%s.forwarding=1' %
|
||||||
self.tester._peer.port.name])
|
self.tester._peer.port.name], privsep_exec=True)
|
||||||
self.tester.set_vm_default_gateway(self.tester.peer_ip_address)
|
self.tester.set_vm_default_gateway(self.tester.peer_ip_address)
|
||||||
vm_sg_rules = [{'ethertype': 'IPv4', 'direction': 'egress',
|
vm_sg_rules = [{'ethertype': 'IPv4', 'direction': 'egress',
|
||||||
'protocol': 'icmp'}]
|
'protocol': 'icmp'}]
|
||||||
|
|||||||
@ -112,6 +112,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
|
|
||||||
self.execute.assert_called_once_with(['ip', '-o', 'link', 'list'],
|
self.execute.assert_called_once_with(['ip', '-o', 'link', 'list'],
|
||||||
run_as_root=True,
|
run_as_root=True,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
def test_execute_wrapper_int_options(self):
|
def test_execute_wrapper_int_options(self):
|
||||||
@ -120,6 +121,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
|
|
||||||
self.execute.assert_called_once_with(['ip', '-4', 'link', 'list'],
|
self.execute.assert_called_once_with(['ip', '-4', 'link', 'list'],
|
||||||
run_as_root=False,
|
run_as_root=False,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
def test_execute_wrapper_no_options(self):
|
def test_execute_wrapper_no_options(self):
|
||||||
@ -128,6 +130,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
|
|
||||||
self.execute.assert_called_once_with(['ip', 'link', 'list'],
|
self.execute.assert_called_once_with(['ip', 'link', 'list'],
|
||||||
run_as_root=False,
|
run_as_root=False,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
def test_run_no_namespace(self):
|
def test_run_no_namespace(self):
|
||||||
@ -135,6 +138,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
base._run([], 'link', ('list',))
|
base._run([], 'link', ('list',))
|
||||||
self.execute.assert_called_once_with(['ip', 'link', 'list'],
|
self.execute.assert_called_once_with(['ip', 'link', 'list'],
|
||||||
run_as_root=False,
|
run_as_root=False,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
def test_run_namespace(self):
|
def test_run_namespace(self):
|
||||||
@ -143,6 +147,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
|
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
|
||||||
'ip', 'link', 'list'],
|
'ip', 'link', 'list'],
|
||||||
run_as_root=True,
|
run_as_root=True,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
def test_as_root_namespace(self):
|
def test_as_root_namespace(self):
|
||||||
@ -151,6 +156,7 @@ class TestSubProcessBase(base.BaseTestCase):
|
|||||||
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
|
self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns',
|
||||||
'ip', 'link', 'list'],
|
'ip', 'link', 'list'],
|
||||||
run_as_root=True,
|
run_as_root=True,
|
||||||
|
privsep_exec=True,
|
||||||
log_fail_as_error=True)
|
log_fail_as_error=True)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -70,49 +70,42 @@ class BaseIpsetManagerTest(base.BaseTestCase):
|
|||||||
input = '\n'.join(temp_input)
|
input = '\n'.join(temp_input)
|
||||||
self.expected_calls.extend([
|
self.expected_calls.extend([
|
||||||
mock.call(['ipset', 'restore', '-exist'],
|
mock.call(['ipset', 'restore', '-exist'],
|
||||||
process_input=input,
|
process_input=input, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=True, privsep_exec=True),
|
||||||
check_exit_code=True),
|
|
||||||
mock.call(['ipset', 'swap', TEST_SET_NAME_NEW, TEST_SET_NAME],
|
mock.call(['ipset', 'swap', TEST_SET_NAME_NEW, TEST_SET_NAME],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=True, privsep_exec=True),
|
||||||
check_exit_code=True),
|
|
||||||
mock.call(['ipset', 'destroy', TEST_SET_NAME_NEW],
|
mock.call(['ipset', 'destroy', TEST_SET_NAME_NEW],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=False, privsep_exec=True)])
|
||||||
check_exit_code=False)])
|
|
||||||
|
|
||||||
def expect_add(self, addresses):
|
def expect_add(self, addresses):
|
||||||
self.expected_calls.extend(
|
self.expected_calls.extend(
|
||||||
mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
|
mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=True, privsep_exec=True)
|
||||||
check_exit_code=True)
|
|
||||||
for ip in self.ipset._sanitize_addresses(addresses))
|
for ip in self.ipset._sanitize_addresses(addresses))
|
||||||
|
|
||||||
def expect_del(self, addresses):
|
def expect_del(self, addresses):
|
||||||
|
|
||||||
self.expected_calls.extend(
|
self.expected_calls.extend(
|
||||||
mock.call(['ipset', 'del', TEST_SET_NAME, ip],
|
mock.call(['ipset', 'del', TEST_SET_NAME, ip],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=False, privsep_exec=True)
|
||||||
check_exit_code=False)
|
|
||||||
for ip in self.ipset._sanitize_addresses(addresses))
|
for ip in self.ipset._sanitize_addresses(addresses))
|
||||||
|
|
||||||
def expect_create(self):
|
def expect_create(self):
|
||||||
self.expected_calls.append(
|
self.expected_calls.append(
|
||||||
mock.call(['ipset', 'create', '-exist', TEST_SET_NAME,
|
mock.call(['ipset', 'create', '-exist', TEST_SET_NAME,
|
||||||
'hash:net', 'family', 'inet'],
|
'hash:net', 'family', 'inet'],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=True, privsep_exec=True))
|
||||||
check_exit_code=True))
|
|
||||||
|
|
||||||
def expect_destroy(self):
|
def expect_destroy(self):
|
||||||
self.expected_calls.append(
|
self.expected_calls.append(
|
||||||
mock.call(['ipset', 'destroy', TEST_SET_NAME],
|
mock.call(['ipset', 'destroy', TEST_SET_NAME],
|
||||||
process_input=None,
|
process_input=None, run_as_root=True,
|
||||||
run_as_root=True,
|
check_exit_code=False, privsep_exec=True))
|
||||||
check_exit_code=False))
|
|
||||||
|
|
||||||
def add_first_ip(self):
|
def add_first_ip(self):
|
||||||
self.expect_set([FAKE_IPS[0]])
|
self.expect_set([FAKE_IPS[0]])
|
||||||
|
|||||||
@ -1418,8 +1418,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||||||
|
|
||||||
cmd.extend(['-w', ct_zone])
|
cmd.extend(['-w', ct_zone])
|
||||||
calls = [
|
calls = [
|
||||||
mock.call(cmd, run_as_root=True, check_exit_code=True,
|
mock.call(cmd, run_as_root=True, privsep_exec=True,
|
||||||
extra_ok_codes=[1])]
|
check_exit_code=True, extra_ok_codes=[1])]
|
||||||
self.utils_exec.assert_has_calls(calls)
|
self.utils_exec.assert_has_calls(calls)
|
||||||
|
|
||||||
def test_remove_conntrack_entries_for_delete_rule_ipv4(self):
|
def test_remove_conntrack_entries_for_delete_rule_ipv4(self):
|
||||||
@ -1472,8 +1472,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||||||
if ct_zone:
|
if ct_zone:
|
||||||
cmd.extend(['-w', ct_zone])
|
cmd.extend(['-w', ct_zone])
|
||||||
expected_calls.append(
|
expected_calls.append(
|
||||||
mock.call(cmd, run_as_root=True, check_exit_code=True,
|
mock.call(cmd, run_as_root=True, privsep_exec=True,
|
||||||
extra_ok_codes=[1]))
|
check_exit_code=True, extra_ok_codes=[1]))
|
||||||
return expected_calls
|
return expected_calls
|
||||||
|
|
||||||
def _test_remove_conntrack_entries_for_port_sec_group_change(self,
|
def _test_remove_conntrack_entries_for_port_sec_group_change(self,
|
||||||
@ -1578,7 +1578,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||||||
conntrack_cmd.extend([remote_ip_direction, ips[ethertype][1]])
|
conntrack_cmd.extend([remote_ip_direction, ips[ethertype][1]])
|
||||||
|
|
||||||
calls.append(mock.call(conntrack_cmd,
|
calls.append(mock.call(conntrack_cmd,
|
||||||
run_as_root=True, check_exit_code=True,
|
run_as_root=True, privsep_exec=True,
|
||||||
|
check_exit_code=True,
|
||||||
extra_ok_codes=[1]))
|
extra_ok_codes=[1]))
|
||||||
|
|
||||||
self.utils_exec.assert_has_calls(calls)
|
self.utils_exec.assert_has_calls(calls)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user