From 6c75316ca0a7ee2f6513bb6bc0797678ef419d24 Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Thu, 4 Feb 2021 18:03:50 +0000 Subject: [PATCH] Remove rootwrap execution (4) Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates any "iptables" and "ipset" command related to privsep. Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c Story: #2007686 Task: #41558 --- .../rootwrap.d/iptables-firewall.filters | 12 - neutron/agent/linux/iptables_manager.py | 13 +- neutron/cmd/ipset_cleanup.py | 9 +- .../unit/agent/linux/test_iptables_manager.py | 206 ++++++++++-------- .../unit/agent/test_securitygroups_rpc.py | 18 +- 5 files changed, 132 insertions(+), 126 deletions(-) diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters index 0a81f9ddb48..bdb93fbdb96 100644 --- a/etc/neutron/rootwrap.d/iptables-firewall.filters +++ b/etc/neutron/rootwrap.d/iptables-firewall.filters @@ -8,18 +8,6 @@ [Filters] -# neutron/agent/linux/iptables_firewall.py -# "iptables-save", ... -iptables-save: CommandFilter, iptables-save, root -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-save: CommandFilter, ip6tables-save, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# neutron/agent/linux/iptables_firewall.py -# "iptables", "-A", ... -iptables: CommandFilter, iptables, root -ip6tables: CommandFilter, ip6tables, root - # neutron/agent/linux/iptables_firewall.py sysctl: CommandFilter, sysctl, root diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index 43386056511..000b676b27b 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -478,13 +478,14 @@ class IptablesManager(object): args = ['iptables-save', '-t', table] if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args - return linux_utils.execute(args, run_as_root=True).split('\n') + return linux_utils.execute(args, run_as_root=True, + privsep_exec=True).split('\n') def _get_version(self): # Output example is "iptables v1.6.2" args = ['iptables', '--version'] version = str(linux_utils.execute( - args, run_as_root=True).split()[1][1:]) + args, run_as_root=True, privsep_exec=True).split()[1][1:]) LOG.debug("IPTables version installed: %s", version) return version @@ -510,7 +511,7 @@ class IptablesManager(object): try: kwargs = {} if lock else {'log_fail_as_error': False} linux_utils.execute(args, process_input='\n'.join(commands), - run_as_root=True, **kwargs) + run_as_root=True, privsep_exec=True, **kwargs) except RuntimeError as error: return error @@ -572,7 +573,8 @@ class IptablesManager(object): if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args try: - save_output = linux_utils.execute(args, run_as_root=True) + save_output = linux_utils.execute(args, run_as_root=True, + privsep_exec=True) except RuntimeError: # We could be racing with a cron job deleting namespaces. # It is useless to try to apply iptables rules over and @@ -781,7 +783,8 @@ class IptablesManager(object): # enabled is that we need to log the error. This is used to avoid # generating alarms that will be ignored by operators. current_table = linux_utils.execute( - args, run_as_root=True, log_fail_as_error=cfg.CONF.debug) + args, run_as_root=True, privsep_exec=True, + log_fail_as_error=cfg.CONF.debug) current_lines = current_table.split('\n') for line in current_lines[2:]: diff --git a/neutron/cmd/ipset_cleanup.py b/neutron/cmd/ipset_cleanup.py index 9fecf73b586..078bdd17fbf 100644 --- a/neutron/cmd/ipset_cleanup.py +++ b/neutron/cmd/ipset_cleanup.py @@ -40,7 +40,7 @@ def setup_conf(): def remove_iptables_reference(ipset): # Remove any iptables reference to this IPset cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save'] - iptables_save = utils.execute(cmd, run_as_root=True) + iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True) if ipset in iptables_save: cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables'] @@ -52,7 +52,8 @@ def remove_iptables_reference(ipset): params = rule.split() params[0] = '-D' try: - utils.execute(cmd + params, run_as_root=True) + utils.execute(cmd + params, run_as_root=True, + privsep_exec=True) except Exception: LOG.exception('Error, unable to remove iptables rule ' 'for IPset: %s', ipset) @@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset): LOG.info("Destroying IPset: %s", ipset) cmd = ['ipset', 'destroy', ipset] try: - utils.execute(cmd, run_as_root=True) + utils.execute(cmd, run_as_root=True, privsep_exec=True) except Exception: LOG.exception('Error, unable to destroy IPset: %s', ipset) @@ -77,7 +78,7 @@ def cleanup_ipsets(conf): LOG.info("Destroying IPsets with prefix: %s", conf.prefix) cmd = ['ipset', '-L', '-n'] - ipsets = utils.execute(cmd, run_as_root=True) + ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True) for ipset in ipsets.split('\n'): if conf.allsets or ipset.startswith(conf.prefix): destroy_ipset(conf, ipset) diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py index 1b80bba0d1c..f005bfde438 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_manager.py +++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py @@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase): mangle_dump = _generate_mangle_dump(IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + COMMENTED_NAT_DUMP + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + mangle_dump + COMMENTED_NAT_DUMP + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase): def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump): expected_calls.extend([ - (mock.call(['ip6tables-save'], - run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), ''), (mock.call(['ip6tables-restore', '-n'], - process_input=filter_dump, - run_as_root=True, log_fail_as_error=False), + process_input=filter_dump, run_as_root=True, + privsep_exec=True, log_fail_as_error=False), None)]) def _extend_with_ip6tables_filter(self, expected_calls, filter_dump): expected_calls.insert(2, ( mock.call(['ip6tables-save'], - run_as_root=True), + run_as_root=True, privsep_exec=True), '')) expected_calls.insert(3, ( mock.call(['ip6tables-restore', '-n'], - process_input=filter_dump, - run_as_root=True, log_fail_as_error=False), + process_input=filter_dump, run_as_root=True, + privsep_exec=True, log_fail_as_error=False), None)) self._extend_with_ip6tables_filter_end(expected_calls, filter_dump) @@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): '# Completed by iptables_manager\n' % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + mangle_dump_mod + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump_mod + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + raw_dump_mod), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): self.execute.assert_has_calls( [mock.call(['iptables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True)]) + process_input=mock.ANY, run_as_root=True, + privsep_exec=True)]) # The RuntimeError should have triggered a log of the input to the # process that it failed to execute. Verify by comparing the log @@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): num_calls = 3 expected_calls_and_values = [ - (mock.call(['iptables-save'], run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), FILTER_DUMP), (mock.call(['iptables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), PE_error), (mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None), ] if self.use_ipv6: num_calls += 2 expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): self.execute.reset_mock() num_calls = 2 expected_calls_and_values = [ - (mock.call(['iptables-save'], run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP), (mock.call(['iptables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None), ] if self.use_ipv6: num_calls += 2 expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n', '-w', '10', '-W', iptables_manager.XLOCK_WAIT_INTERVAL], - process_input=mock.ANY, run_as_root=True), + process_input=mock.ANY, run_as_root=True, + privsep_exec=True), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), ] if self.use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), '')) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10'], run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), '')) exp_packets *= 2 exp_bytes *= 2 @@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '') ] if self.use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '')) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), TRAFFIC_COUNTERS_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-w', '10', '-Z'], - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), '')) exp_packets *= 2 exp_bytes *= 2 @@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), (filter_dump_mod + MANGLE_RESTORE_DUMP + NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)), ] if self.use_ipv6: expected_calls_and_values.append( - (mock.call(['ip6tables-save'], run_as_root=True), + (mock.call(['ip6tables-save'], run_as_root=True, + privsep_exec=True), FILTER_DUMP)) expected_calls_and_values.append( (mock.call(['ip6tables-restore', '-n'], process_input=mock.ANY, run_as_root=True, - log_fail_as_error=False), + privsep_exec=True, log_fail_as_error=False), None)) tools.setup_mock_calls(self.execute, expected_calls_and_values) @@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase): % IPTABLES_ARG) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), (filter_dump_mod + MANGLE_RESTORE_DUMP + NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)), (mock.call(['iptables-restore', '-n'], process_input=RESTORE_INPUT, - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] @@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName( mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: @@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName( mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), - (mock.call(['iptables-save'], - run_as_root=True), + (mock.call(['iptables-save'], run_as_root=True, privsep_exec=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump + mangle_dump + nat_dump + raw_dump), - run_as_root=True, log_fail_as_error=False), + run_as_root=True, privsep_exec=True, + log_fail_as_error=False), None), ] if self.use_ipv6: diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 3ff77655069..9d8207e4262 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -2837,25 +2837,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): def _replay_iptables(self, v4_filter, v6_filter, raw): self._register_mock_call( - ['iptables-save'], - run_as_root=True, + ['iptables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['iptables-restore', '-n'], - process_input=self._regex(v4_filter + raw), - run_as_root=True, - log_fail_as_error=False, - return_value='') + process_input=self._regex(v4_filter + raw), run_as_root=True, + privsep_exec=True, log_fail_as_error=False, return_value='') self._register_mock_call( - ['ip6tables-save'], - run_as_root=True, + ['ip6tables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['ip6tables-restore', '-n'], - process_input=self._regex(v6_filter + raw), - run_as_root=True, - log_fail_as_error=False, - return_value='') + process_input=self._regex(v6_filter + raw), run_as_root=True, + privsep_exec=True, log_fail_as_error=False, return_value='') def test_prepare_remove_port(self): self.ipconntrack._device_zone_map = {}