diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters index 0a81f9ddb48..bdb93fbdb96 100644 --- a/etc/neutron/rootwrap.d/iptables-firewall.filters +++ b/etc/neutron/rootwrap.d/iptables-firewall.filters @@ -8,18 +8,6 @@ [Filters] -# neutron/agent/linux/iptables_firewall.py -# "iptables-save", ... -iptables-save: CommandFilter, iptables-save, root -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-save: CommandFilter, ip6tables-save, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# neutron/agent/linux/iptables_firewall.py -# "iptables", "-A", ... -iptables: CommandFilter, iptables, root -ip6tables: CommandFilter, ip6tables, root - # neutron/agent/linux/iptables_firewall.py sysctl: CommandFilter, sysctl, root diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index 43386056511..000b676b27b 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -478,13 +478,14 @@ class IptablesManager(object): args = ['iptables-save', '-t', table] if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args - return linux_utils.execute(args, run_as_root=True).split('\n') + return linux_utils.execute(args, run_as_root=True, + privsep_exec=True).split('\n') def _get_version(self): # Output example is "iptables v1.6.2" args = ['iptables', '--version'] version = str(linux_utils.execute( - args, run_as_root=True).split()[1][1:]) + args, run_as_root=True, privsep_exec=True).split()[1][1:]) LOG.debug("IPTables version installed: %s", version) return version @@ -510,7 +511,7 @@ class IptablesManager(object): try: kwargs = {} if lock else {'log_fail_as_error': False} linux_utils.execute(args, process_input='\n'.join(commands), - run_as_root=True, **kwargs) + run_as_root=True, privsep_exec=True, **kwargs) except RuntimeError as error: return error @@ -572,7 +573,8 @@ class IptablesManager(object): if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args try: - save_output = linux_utils.execute(args, run_as_root=True) + save_output = linux_utils.execute(args, run_as_root=True, + privsep_exec=True) except RuntimeError: # We could be racing with a cron job deleting namespaces. # It is useless to try to apply iptables rules over and @@ -781,7 +783,8 @@ class IptablesManager(object): # enabled is that we need to log the error. This is used to avoid # generating alarms that will be ignored by operators. current_table = linux_utils.execute( - args, run_as_root=True, log_fail_as_error=cfg.CONF.debug) + args, run_as_root=True, privsep_exec=True, + log_fail_as_error=cfg.CONF.debug) current_lines = current_table.split('\n') for line in current_lines[2:]: diff --git a/neutron/cmd/ipset_cleanup.py b/neutron/cmd/ipset_cleanup.py index 9fecf73b586..078bdd17fbf 100644 --- a/neutron/cmd/ipset_cleanup.py +++ b/neutron/cmd/ipset_cleanup.py @@ -40,7 +40,7 @@ def setup_conf(): def remove_iptables_reference(ipset): # Remove any iptables reference to this IPset cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save'] - iptables_save = utils.execute(cmd, run_as_root=True) + iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True) if ipset in iptables_save: cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables'] @@ -52,7 +52,8 @@ def remove_iptables_reference(ipset): params = rule.split() params[0] = '-D' try: - utils.execute(cmd + params, run_as_root=True) + utils.execute(cmd + params, run_as_root=True, + privsep_exec=True) except Exception: LOG.exception('Error, unable to remove iptables rule ' 'for IPset: %s', ipset) @@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset): LOG.info("Destroying IPset: %s", ipset) cmd = ['ipset', 'destroy', ipset] try: - utils.execute(cmd, run_as_root=True) + utils.execute(cmd, run_as_root=True, privsep_exec=True) except Exception: LOG.exception('Error, unable to destroy IPset: %s', ipset) @@ -77,7 +78,7 @@ def cleanup_ipsets(conf): LOG.info("Destroying IPsets with prefix: %s", conf.prefix) cmd = ['ipset', '-L', '-n'] - ipsets = utils.execute(cmd, run_as_root=True) + ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True) for ipset in ipsets.split('\n'): if conf.allsets or ipset.startswith(conf.prefix): destroy_ipset(conf, ipset) diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py index 1b80bba0d1c..f005bfde438 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_manager.py +++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py @@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase): mangle_dump = _generate_mangle_dump(IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + COMMENTED_NAT_DUMP + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + mangle_dump + COMMENTED_NAT_DUMP + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase): def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump): expected_calls.extend([ - (mock.call(['ip6tables-save'], - run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), ''), (mock.call(['ip6tables-restore', '-n'], - process_input=filter_dump, - run_as_root=True, log_fail_as_error=False), + process_input=filter_dump, run_as_root=True, + privsep_exec=True, log_fail_as_error=False), None)]) def _extend_with_ip6tables_filter(self, expected_calls, filter_dump): expected_calls.insert(2, ( mock.call(['ip6tables-save'], - run_as_root=True), + run_as_root=True, privsep_exec=True), '')) expected_calls.insert(3, ( mock.call(['ip6tables-restore', '-n'], - process_input=filter_dump, - run_as_root=True, log_fail_as_error=False), + process_input=filter_dump, run_as_root=True, + privsep_exec=True, log_fail_as_error=False), None)) self._extend_with_ip6tables_filter_end(expected_calls, filter_dump) @@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): '# Completed by iptables_manager\n' % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + mangle_dump_mod + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump_mod + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + raw_dump_mod), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): self.execute.assert_has_calls( [mock.call(['iptables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True)]) + process_input=mock.ANY, run_as_root=True, + privsep_exec=True)]) # The RuntimeError should have triggered a log of the input to the # process that it failed to execute. Verify by comparing the log @@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): num_calls = 3 expected_calls_and_values = [ - (mock.call(['iptables-save'], run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), FILTER_DUMP), (mock.call(['iptables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), PE_error), (mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None), ] if self.use_ipv6: num_calls += 2 expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): self.execute.reset_mock() num_calls = 2 expected_calls_and_values = [ - (mock.call(['iptables-save'], run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP), (mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None), ] if self.use_ipv6: num_calls += 2 expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), ] if self.use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), '')) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), '')) exp_packets *= 2 exp_bytes *= 2 @@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '') ] if self.use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '')) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '')) exp_packets *= 2 exp_bytes *= 2 @@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), (filter_dump_mod + MANGLE_RESTORE_DUMP + NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)), ] if self.use_ipv6: expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), (filter_dump_mod + MANGLE_RESTORE_DUMP + NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)), (mock.call(['iptables-restore', '-n'], process_input=RESTORE_INPUT, - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] @@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName( mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName( mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 3ff77655069..9d8207e4262 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -2837,25 +2837,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): def _replay_iptables(self, v4_filter, v6_filter, raw): self._register_mock_call( - ['iptables-save'], - run_as_root=True, + ['iptables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['iptables-restore', '-n'], - process_input=self._regex(v4_filter + raw), - run_as_root=True, - log_fail_as_error=False, - return_value='') + process_input=self._regex(v4_filter + raw), run_as_root=True, + privsep_exec=True, log_fail_as_error=False, return_value='') self._register_mock_call( - ['ip6tables-save'], - run_as_root=True, + ['ip6tables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['ip6tables-restore', '-n'], - process_input=self._regex(v6_filter + raw), - run_as_root=True, - log_fail_as_error=False, - return_value='') + process_input=self._regex(v6_filter + raw), run_as_root=True, + privsep_exec=True, log_fail_as_error=False, return_value='') def test_prepare_remove_port(self): self.ipconntrack._device_zone_map = {}