Remove rootwrap execution (4)
Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates any "iptables" and "ipset" command related to privsep. Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c Story: #2007686 Task: #41558
This commit is contained in:
Rodolfo Alonso Hernandez
parent
da27fb0870
commit
6c75316ca0
|
|
@ -8,18 +8,6 @@
|
||||||
|
|
||||||
[Filters]
|
[Filters]
|
||||||
|
|
||||||
# neutron/agent/linux/iptables_firewall.py
|
|
||||||
# "iptables-save", ...
|
|
||||||
iptables-save: CommandFilter, iptables-save, root
|
|
||||||
iptables-restore: CommandFilter, iptables-restore, root
|
|
||||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
|
||||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
|
||||||
|
|
||||||
# neutron/agent/linux/iptables_firewall.py
|
|
||||||
# "iptables", "-A", ...
|
|
||||||
iptables: CommandFilter, iptables, root
|
|
||||||
ip6tables: CommandFilter, ip6tables, root
|
|
||||||
|
|
||||||
# neutron/agent/linux/iptables_firewall.py
|
# neutron/agent/linux/iptables_firewall.py
|
||||||
sysctl: CommandFilter, sysctl, root
|
sysctl: CommandFilter, sysctl, root
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -478,13 +478,14 @@ class IptablesManager(object):
|
||||||
args = ['iptables-save', '-t', table]
|
args = ['iptables-save', '-t', table]
|
||||||
if self.namespace:
|
if self.namespace:
|
||||||
args = ['ip', 'netns', 'exec', self.namespace] + args
|
args = ['ip', 'netns', 'exec', self.namespace] + args
|
||||||
return linux_utils.execute(args, run_as_root=True).split('\n')
|
return linux_utils.execute(args, run_as_root=True,
|
||||||
|
privsep_exec=True).split('\n')
|
||||||
|
|
||||||
def _get_version(self):
|
def _get_version(self):
|
||||||
# Output example is "iptables v1.6.2"
|
# Output example is "iptables v1.6.2"
|
||||||
args = ['iptables', '--version']
|
args = ['iptables', '--version']
|
||||||
version = str(linux_utils.execute(
|
version = str(linux_utils.execute(
|
||||||
args, run_as_root=True).split()[1][1:])
|
args, run_as_root=True, privsep_exec=True).split()[1][1:])
|
||||||
LOG.debug("IPTables version installed: %s", version)
|
LOG.debug("IPTables version installed: %s", version)
|
||||||
return version
|
return version
|
||||||
|
|
||||||
|
|
@ -510,7 +511,7 @@ class IptablesManager(object):
|
||||||
try:
|
try:
|
||||||
kwargs = {} if lock else {'log_fail_as_error': False}
|
kwargs = {} if lock else {'log_fail_as_error': False}
|
||||||
linux_utils.execute(args, process_input='\n'.join(commands),
|
linux_utils.execute(args, process_input='\n'.join(commands),
|
||||||
run_as_root=True, **kwargs)
|
run_as_root=True, privsep_exec=True, **kwargs)
|
||||||
except RuntimeError as error:
|
except RuntimeError as error:
|
||||||
return error
|
return error
|
||||||
|
|
||||||
|
|
@ -572,7 +573,8 @@ class IptablesManager(object):
|
||||||
if self.namespace:
|
if self.namespace:
|
||||||
args = ['ip', 'netns', 'exec', self.namespace] + args
|
args = ['ip', 'netns', 'exec', self.namespace] + args
|
||||||
try:
|
try:
|
||||||
save_output = linux_utils.execute(args, run_as_root=True)
|
save_output = linux_utils.execute(args, run_as_root=True,
|
||||||
|
privsep_exec=True)
|
||||||
except RuntimeError:
|
except RuntimeError:
|
||||||
# We could be racing with a cron job deleting namespaces.
|
# We could be racing with a cron job deleting namespaces.
|
||||||
# It is useless to try to apply iptables rules over and
|
# It is useless to try to apply iptables rules over and
|
||||||
|
|
@ -781,7 +783,8 @@ class IptablesManager(object):
|
||||||
# enabled is that we need to log the error. This is used to avoid
|
# enabled is that we need to log the error. This is used to avoid
|
||||||
# generating alarms that will be ignored by operators.
|
# generating alarms that will be ignored by operators.
|
||||||
current_table = linux_utils.execute(
|
current_table = linux_utils.execute(
|
||||||
args, run_as_root=True, log_fail_as_error=cfg.CONF.debug)
|
args, run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=cfg.CONF.debug)
|
||||||
current_lines = current_table.split('\n')
|
current_lines = current_table.split('\n')
|
||||||
|
|
||||||
for line in current_lines[2:]:
|
for line in current_lines[2:]:
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ def setup_conf():
|
||||||
def remove_iptables_reference(ipset):
|
def remove_iptables_reference(ipset):
|
||||||
# Remove any iptables reference to this IPset
|
# Remove any iptables reference to this IPset
|
||||||
cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']
|
cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']
|
||||||
iptables_save = utils.execute(cmd, run_as_root=True)
|
iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||||
|
|
||||||
if ipset in iptables_save:
|
if ipset in iptables_save:
|
||||||
cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']
|
cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']
|
||||||
|
|
@ -52,7 +52,8 @@ def remove_iptables_reference(ipset):
|
||||||
params = rule.split()
|
params = rule.split()
|
||||||
params[0] = '-D'
|
params[0] = '-D'
|
||||||
try:
|
try:
|
||||||
utils.execute(cmd + params, run_as_root=True)
|
utils.execute(cmd + params, run_as_root=True,
|
||||||
|
privsep_exec=True)
|
||||||
except Exception:
|
except Exception:
|
||||||
LOG.exception('Error, unable to remove iptables rule '
|
LOG.exception('Error, unable to remove iptables rule '
|
||||||
'for IPset: %s', ipset)
|
'for IPset: %s', ipset)
|
||||||
|
|
@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset):
|
||||||
LOG.info("Destroying IPset: %s", ipset)
|
LOG.info("Destroying IPset: %s", ipset)
|
||||||
cmd = ['ipset', 'destroy', ipset]
|
cmd = ['ipset', 'destroy', ipset]
|
||||||
try:
|
try:
|
||||||
utils.execute(cmd, run_as_root=True)
|
utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||||
except Exception:
|
except Exception:
|
||||||
LOG.exception('Error, unable to destroy IPset: %s', ipset)
|
LOG.exception('Error, unable to destroy IPset: %s', ipset)
|
||||||
|
|
||||||
|
|
@ -77,7 +78,7 @@ def cleanup_ipsets(conf):
|
||||||
LOG.info("Destroying IPsets with prefix: %s", conf.prefix)
|
LOG.info("Destroying IPsets with prefix: %s", conf.prefix)
|
||||||
|
|
||||||
cmd = ['ipset', '-L', '-n']
|
cmd = ['ipset', '-L', '-n']
|
||||||
ipsets = utils.execute(cmd, run_as_root=True)
|
ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||||
for ipset in ipsets.split('\n'):
|
for ipset in ipsets.split('\n'):
|
||||||
if conf.allsets or ipset.startswith(conf.prefix):
|
if conf.allsets or ipset.startswith(conf.prefix):
|
||||||
destroy_ipset(conf, ipset)
|
destroy_ipset(conf, ipset)
|
||||||
|
|
|
||||||
|
|
@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase):
|
||||||
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
|
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + mangle_dump +
|
process_input=(filter_dump_mod + mangle_dump +
|
||||||
COMMENTED_NAT_DUMP + raw_dump),
|
COMMENTED_NAT_DUMP + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + mangle_dump +
|
process_input=(FILTER_DUMP + mangle_dump +
|
||||||
COMMENTED_NAT_DUMP + raw_dump),
|
COMMENTED_NAT_DUMP + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||||
|
|
@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase):
|
||||||
|
|
||||||
def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump):
|
def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump):
|
||||||
expected_calls.extend([
|
expected_calls.extend([
|
||||||
(mock.call(['ip6tables-save'],
|
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||||
run_as_root=True),
|
privsep_exec=True),
|
||||||
''),
|
''),
|
||||||
(mock.call(['ip6tables-restore', '-n'],
|
(mock.call(['ip6tables-restore', '-n'],
|
||||||
process_input=filter_dump,
|
process_input=filter_dump, run_as_root=True,
|
||||||
run_as_root=True, log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
None)])
|
None)])
|
||||||
|
|
||||||
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
|
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
|
||||||
expected_calls.insert(2, (
|
expected_calls.insert(2, (
|
||||||
mock.call(['ip6tables-save'],
|
mock.call(['ip6tables-save'],
|
||||||
run_as_root=True),
|
run_as_root=True, privsep_exec=True),
|
||||||
''))
|
''))
|
||||||
expected_calls.insert(3, (
|
expected_calls.insert(3, (
|
||||||
mock.call(['ip6tables-restore', '-n'],
|
mock.call(['ip6tables-restore', '-n'],
|
||||||
process_input=filter_dump,
|
process_input=filter_dump, run_as_root=True,
|
||||||
run_as_root=True, log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
None))
|
None))
|
||||||
self._extend_with_ip6tables_filter_end(expected_calls, filter_dump)
|
self._extend_with_ip6tables_filter_end(expected_calls, filter_dump)
|
||||||
|
|
||||||
|
|
@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
|
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||||
RAW_DUMP),
|
RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||||
RAW_DUMP),
|
RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
'# Completed by iptables_manager\n' % IPTABLES_ARG)
|
'# Completed by iptables_manager\n' % IPTABLES_ARG)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + mangle_dump_mod +
|
process_input=(FILTER_DUMP + mangle_dump_mod +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||||
NAT_DUMP + RAW_DUMP),
|
NAT_DUMP + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||||
nat_dump_mod + RAW_DUMP),
|
nat_dump_mod + RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
|
process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
|
||||||
RAW_DUMP),
|
RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
% IPTABLES_ARG)
|
% IPTABLES_ARG)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||||
raw_dump_mod),
|
raw_dump_mod),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||||
RAW_DUMP),
|
RAW_DUMP),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
self.execute.assert_has_calls(
|
self.execute.assert_has_calls(
|
||||||
[mock.call(['iptables-restore', '-n'],
|
[mock.call(['iptables-restore', '-n'],
|
||||||
process_input=mock.ANY, run_as_root=True,
|
process_input=mock.ANY, run_as_root=True,
|
||||||
log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
mock.call(['iptables-restore', '-n', '-w', '10',
|
mock.call(['iptables-restore', '-n', '-w', '10',
|
||||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||||
process_input=mock.ANY, run_as_root=True)])
|
process_input=mock.ANY, run_as_root=True,
|
||||||
|
privsep_exec=True)])
|
||||||
|
|
||||||
# The RuntimeError should have triggered a log of the input to the
|
# The RuntimeError should have triggered a log of the input to the
|
||||||
# process that it failed to execute. Verify by comparing the log
|
# process that it failed to execute. Verify by comparing the log
|
||||||
|
|
@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
|
|
||||||
num_calls = 3
|
num_calls = 3
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'], run_as_root=True),
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
FILTER_DUMP),
|
FILTER_DUMP),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=mock.ANY, run_as_root=True,
|
process_input=mock.ANY, run_as_root=True,
|
||||||
log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
PE_error),
|
PE_error),
|
||||||
(mock.call(['iptables-restore', '-n', '-w', '10',
|
(mock.call(['iptables-restore', '-n', '-w', '10',
|
||||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||||
process_input=mock.ANY, run_as_root=True),
|
process_input=mock.ANY, run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
num_calls += 2
|
num_calls += 2
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
FILTER_DUMP))
|
FILTER_DUMP))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
||||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||||
process_input=mock.ANY, run_as_root=True),
|
process_input=mock.ANY, run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
None))
|
None))
|
||||||
|
|
||||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||||
|
|
@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
self.execute.reset_mock()
|
self.execute.reset_mock()
|
||||||
num_calls = 2
|
num_calls = 2
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'], run_as_root=True),
|
(mock.call(['iptables-save'], run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
FILTER_DUMP),
|
FILTER_DUMP),
|
||||||
(mock.call(['iptables-restore', '-n', '-w', '10',
|
(mock.call(['iptables-restore', '-n', '-w', '10',
|
||||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||||
process_input=mock.ANY, run_as_root=True),
|
process_input=mock.ANY, run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
num_calls += 2
|
num_calls += 2
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
FILTER_DUMP))
|
FILTER_DUMP))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
||||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||||
process_input=mock.ANY, run_as_root=True),
|
process_input=mock.ANY, run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
None))
|
None))
|
||||||
|
|
||||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||||
|
|
@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10'],
|
'-n', '-v', '-x', '-w', '10'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
TRAFFIC_COUNTERS_DUMP),
|
TRAFFIC_COUNTERS_DUMP),
|
||||||
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10'],
|
'-v', '-x', '-w', '10'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10'],
|
'-v', '-x', '-w', '10'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10'],
|
'-v', '-x', '-w', '10'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''),
|
''),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
||||||
log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
''))
|
''))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10'],
|
'-n', '-v', '-x', '-w', '10'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
TRAFFIC_COUNTERS_DUMP))
|
TRAFFIC_COUNTERS_DUMP))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
||||||
log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
''))
|
''))
|
||||||
exp_packets *= 2
|
exp_packets *= 2
|
||||||
exp_bytes *= 2
|
exp_bytes *= 2
|
||||||
|
|
@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
TRAFFIC_COUNTERS_DUMP),
|
TRAFFIC_COUNTERS_DUMP),
|
||||||
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10', '-Z'],
|
'-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10', '-Z'],
|
'-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
||||||
'-v', '-x', '-w', '10', '-Z'],
|
'-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
'')
|
'')
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''))
|
''))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
TRAFFIC_COUNTERS_DUMP))
|
TRAFFIC_COUNTERS_DUMP))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
||||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
''))
|
''))
|
||||||
exp_packets *= 2
|
exp_packets *= 2
|
||||||
exp_bytes *= 2
|
exp_bytes *= 2
|
||||||
|
|
@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args
|
filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
||||||
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||||
|
privsep_exec=True),
|
||||||
FILTER_DUMP))
|
FILTER_DUMP))
|
||||||
expected_calls_and_values.append(
|
expected_calls_and_values.append(
|
||||||
(mock.call(['ip6tables-restore', '-n'],
|
(mock.call(['ip6tables-restore', '-n'],
|
||||||
process_input=mock.ANY, run_as_root=True,
|
process_input=mock.ANY, run_as_root=True,
|
||||||
log_fail_as_error=False),
|
privsep_exec=True, log_fail_as_error=False),
|
||||||
None))
|
None))
|
||||||
|
|
||||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||||
|
|
@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||||
% IPTABLES_ARG)
|
% IPTABLES_ARG)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
||||||
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=RESTORE_INPUT,
|
process_input=RESTORE_INPUT,
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName(
|
||||||
mangle_dump = _generate_mangle_dump(iptables_args)
|
mangle_dump = _generate_mangle_dump(iptables_args)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + mangle_dump +
|
process_input=(filter_dump_mod + mangle_dump +
|
||||||
nat_dump + raw_dump),
|
nat_dump + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump + mangle_dump +
|
process_input=(filter_dump + mangle_dump +
|
||||||
nat_dump + raw_dump),
|
nat_dump + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName(
|
||||||
mangle_dump = _generate_mangle_dump(iptables_args)
|
mangle_dump = _generate_mangle_dump(iptables_args)
|
||||||
|
|
||||||
expected_calls_and_values = [
|
expected_calls_and_values = [
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump_mod + mangle_dump +
|
process_input=(filter_dump_mod + mangle_dump +
|
||||||
nat_dump + raw_dump),
|
nat_dump + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
(mock.call(['iptables-save'],
|
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||||
run_as_root=True),
|
|
||||||
''),
|
''),
|
||||||
(mock.call(['iptables-restore', '-n'],
|
(mock.call(['iptables-restore', '-n'],
|
||||||
process_input=(filter_dump + mangle_dump +
|
process_input=(filter_dump + mangle_dump +
|
||||||
nat_dump + raw_dump),
|
nat_dump + raw_dump),
|
||||||
run_as_root=True, log_fail_as_error=False),
|
run_as_root=True, privsep_exec=True,
|
||||||
|
log_fail_as_error=False),
|
||||||
None),
|
None),
|
||||||
]
|
]
|
||||||
if self.use_ipv6:
|
if self.use_ipv6:
|
||||||
|
|
|
||||||
|
|
@ -2837,25 +2837,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
|
||||||
|
|
||||||
def _replay_iptables(self, v4_filter, v6_filter, raw):
|
def _replay_iptables(self, v4_filter, v6_filter, raw):
|
||||||
self._register_mock_call(
|
self._register_mock_call(
|
||||||
['iptables-save'],
|
['iptables-save'], run_as_root=True, privsep_exec=True,
|
||||||
run_as_root=True,
|
|
||||||
return_value='')
|
return_value='')
|
||||||
self._register_mock_call(
|
self._register_mock_call(
|
||||||
['iptables-restore', '-n'],
|
['iptables-restore', '-n'],
|
||||||
process_input=self._regex(v4_filter + raw),
|
process_input=self._regex(v4_filter + raw), run_as_root=True,
|
||||||
run_as_root=True,
|
privsep_exec=True, log_fail_as_error=False, return_value='')
|
||||||
log_fail_as_error=False,
|
|
||||||
return_value='')
|
|
||||||
self._register_mock_call(
|
self._register_mock_call(
|
||||||
['ip6tables-save'],
|
['ip6tables-save'], run_as_root=True, privsep_exec=True,
|
||||||
run_as_root=True,
|
|
||||||
return_value='')
|
return_value='')
|
||||||
self._register_mock_call(
|
self._register_mock_call(
|
||||||
['ip6tables-restore', '-n'],
|
['ip6tables-restore', '-n'],
|
||||||
process_input=self._regex(v6_filter + raw),
|
process_input=self._regex(v6_filter + raw), run_as_root=True,
|
||||||
run_as_root=True,
|
privsep_exec=True, log_fail_as_error=False, return_value='')
|
||||||
log_fail_as_error=False,
|
|
||||||
return_value='')
|
|
||||||
|
|
||||||
def test_prepare_remove_port(self):
|
def test_prepare_remove_port(self):
|
||||||
self.ipconntrack._device_zone_map = {}
|
self.ipconntrack._device_zone_map = {}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue