openstack
/
neutron
Code Issues Proposed changes

Merge "Remove rootwrap execution (4)"

This commit is contained in:
Zuul 2021-02-17 15:43:21 +00:00 committed by Gerrit Code Review
parent c55ee8916e 6c75316ca0
commit 6ec5ef4357
5 changed files with 132 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
etc/neutron/rootwrap.d/iptables-firewall.filters
View File

@ -8,18 +8,6 @@
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root

13
neutron/agent/linux/iptables_manager.py
View File

@ -478,13 +478,14 @@ class IptablesManager(object):
args = ['iptables-save', '-t', table]
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
return linux_utils.execute(args, run_as_root=True).split('\n')
return linux_utils.execute(args, run_as_root=True,
privsep_exec=True).split('\n')
def _get_version(self):
# Output example is "iptables v1.6.2"
args = ['iptables', '--version']
version = str(linux_utils.execute(
args, run_as_root=True).split()[1][1:])
args, run_as_root=True, privsep_exec=True).split()[1][1:])
LOG.debug("IPTables version installed: %s", version)
return version
@ -510,7 +511,7 @@ class IptablesManager(object):
try:
kwargs = {} if lock else {'log_fail_as_error': False}
linux_utils.execute(args, process_input='\n'.join(commands),
run_as_root=True, **kwargs)
run_as_root=True, privsep_exec=True, **kwargs)
except RuntimeError as error:
return error
@ -572,7 +573,8 @@ class IptablesManager(object):
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
try:
save_output = linux_utils.execute(args, run_as_root=True)
save_output = linux_utils.execute(args, run_as_root=True,
privsep_exec=True)
except RuntimeError:
# We could be racing with a cron job deleting namespaces.
# It is useless to try to apply iptables rules over and
@ -781,7 +783,8 @@ class IptablesManager(object):
# enabled is that we need to log the error. This is used to avoid
# generating alarms that will be ignored by operators.
current_table = linux_utils.execute(
args, run_as_root=True, log_fail_as_error=cfg.CONF.debug)
args, run_as_root=True, privsep_exec=True,
log_fail_as_error=cfg.CONF.debug)
current_lines = current_table.split('\n')
for line in current_lines[2:]:

9
neutron/cmd/ipset_cleanup.py
View File

@ -40,7 +40,7 @@ def setup_conf():
def remove_iptables_reference(ipset):
# Remove any iptables reference to this IPset
cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']
iptables_save = utils.execute(cmd, run_as_root=True)
iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True)
if ipset in iptables_save:
cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']
@ -52,7 +52,8 @@ def remove_iptables_reference(ipset):
params = rule.split()
params[0] = '-D'
try:
utils.execute(cmd + params, run_as_root=True)
utils.execute(cmd + params, run_as_root=True,
privsep_exec=True)
except Exception:
LOG.exception('Error, unable to remove iptables rule '
'for IPset: %s', ipset)
@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset):
LOG.info("Destroying IPset: %s", ipset)
cmd = ['ipset', 'destroy', ipset]
try:
utils.execute(cmd, run_as_root=True)
utils.execute(cmd, run_as_root=True, privsep_exec=True)
except Exception:
LOG.exception('Error, unable to destroy IPset: %s', ipset)
@ -77,7 +78,7 @@ def cleanup_ipsets(conf):
LOG.info("Destroying IPsets with prefix: %s", conf.prefix)
cmd = ['ipset', '-L', '-n']
ipsets = utils.execute(cmd, run_as_root=True)
ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True)
for ipset in ipsets.split('\n'):
if conf.allsets or ipset.startswith(conf.prefix):
destroy_ipset(conf, ipset)

206
neutron/tests/unit/agent/linux/test_iptables_manager.py
View File

@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase):
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + mangle_dump +
COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase):
def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump):
expected_calls.extend([
(mock.call(['ip6tables-save'],
run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
''),
(mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True, log_fail_as_error=False),
process_input=filter_dump, run_as_root=True,
privsep_exec=True, log_fail_as_error=False),
None)])
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
expected_calls.insert(2, (
mock.call(['ip6tables-save'],
run_as_root=True),
run_as_root=True, privsep_exec=True),
''))
expected_calls.insert(3, (
mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True, log_fail_as_error=False),
process_input=filter_dump, run_as_root=True,
privsep_exec=True, log_fail_as_error=False),
None))
self._extend_with_ip6tables_filter_end(expected_calls, filter_dump)
@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
'# Completed by iptables_manager\n' % IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + mangle_dump_mod +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
nat_dump_mod + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
% IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
raw_dump_mod),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
self.execute.assert_has_calls(
[mock.call(['iptables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True)])
process_input=mock.ANY, run_as_root=True,
privsep_exec=True)])
# The RuntimeError should have triggered a log of the input to the
# process that it failed to execute. Verify by comparing the log
@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
num_calls = 3
expected_calls_and_values = [
(mock.call(['iptables-save'], run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
FILTER_DUMP),
(mock.call(['iptables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
PE_error),
(mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None),
]
if self.use_ipv6:
num_calls += 2
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
self.execute.reset_mock()
num_calls = 2
expected_calls_and_values = [
(mock.call(['iptables-save'], run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP),
(mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None),
]
if self.use_ipv6:
num_calls += 2
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
''))
exp_packets *= 2
exp_bytes *= 2
@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
'')
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''))
exp_packets *= 2
exp_bytes *= 2
@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
(filter_dump_mod + MANGLE_RESTORE_DUMP +
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
% IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
(filter_dump_mod + MANGLE_RESTORE_DUMP +
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
(mock.call(['iptables-restore', '-n'],
process_input=RESTORE_INPUT,
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName(
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName(
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:

18
neutron/tests/unit/agent/test_securitygroups_rpc.py
View File

@ -2936,25 +2936,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
def _replay_iptables(self, v4_filter, v6_filter, raw):
self._register_mock_call(
['iptables-save'],
run_as_root=True,
['iptables-save'], run_as_root=True, privsep_exec=True,
return_value='')
self._register_mock_call(
['iptables-restore', '-n'],
process_input=self._regex(v4_filter + raw),
run_as_root=True,
log_fail_as_error=False,
return_value='')
process_input=self._regex(v4_filter + raw), run_as_root=True,
privsep_exec=True, log_fail_as_error=False, return_value='')
self._register_mock_call(
['ip6tables-save'],
run_as_root=True,
['ip6tables-save'], run_as_root=True, privsep_exec=True,
return_value='')
self._register_mock_call(
['ip6tables-restore', '-n'],
process_input=self._regex(v6_filter + raw),
run_as_root=True,
log_fail_as_error=False,
return_value='')
process_input=self._regex(v6_filter + raw), run_as_root=True,
privsep_exec=True, log_fail_as_error=False, return_value='')
def test_prepare_remove_port(self):
self.ipconntrack._device_zone_map = {}