From be7bb4d0f584a05d3e2725f1179ffaed6e8f449d Mon Sep 17 00:00:00 2001
From: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Date: Mon, 5 Aug 2019 15:03:27 +0000
Subject: [PATCH] Kill all processes running in a namespace before deletion

In "NamespaceFixture", before deleting the namespace, this patch
introduces a check to first kill all processes running on it.

Closes-Bug: #1838793

Change-Id: I27f3db33f2e7ab685523fd2d6922177d7c9cb71b
---
 etc/neutron/rootwrap.d/debug.filters          |  6 +++-
 neutron/agent/linux/ip_lib.py                 |  9 +++++
 neutron/privileged/__init__.py                |  3 +-
 neutron/privileged/agent/linux/ip_lib.py      |  6 ++++
 neutron/tests/common/net_helpers.py           |  2 ++
 .../privileged/agent/linux/test_ip_lib.py     | 35 +++++++++++++++++++
 6 files changed, 59 insertions(+), 2 deletions(-)

diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters
index 8d72ce2b1e3..8d7a2dc69e4 100644
--- a/etc/neutron/rootwrap.d/debug.filters
+++ b/etc/neutron/rootwrap.d/debug.filters
@@ -15,4 +15,8 @@
 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
-ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
\ No newline at end of file
+ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
+
+# "sleep" command, only for testing
+sleep: RegExpFilter, sleep, root, sleep, \d+
+kill_sleep: KillFilter, root, sleep, -9
diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py
index 7e008b67e11..81d0acca866 100644
--- a/neutron/agent/linux/ip_lib.py
+++ b/neutron/agent/linux/ip_lib.py
@@ -932,6 +932,15 @@ def network_namespace_exists(namespace, try_is_ready=False, **kwargs):
     return False
 
 
+def list_namespace_pids(namespace):
+    """List namespace process PIDs
+
+    :param namespace: (string) the name of the namespace
+    :return: (tuple)
+    """
+    return privileged.list_ns_pids(namespace)
+
+
 def ensure_device_is_ready(device_name, namespace=None):
     dev = IPDevice(device_name, namespace=namespace)
     try:
diff --git a/neutron/privileged/__init__.py b/neutron/privileged/__init__.py
index 43bb3c2228e..296dba5c777 100644
--- a/neutron/privileged/__init__.py
+++ b/neutron/privileged/__init__.py
@@ -25,5 +25,6 @@ default = priv_context.PrivContext(
     capabilities=[caps.CAP_SYS_ADMIN,
                   caps.CAP_NET_ADMIN,
                   caps.CAP_DAC_OVERRIDE,
-                  caps.CAP_DAC_READ_SEARCH],
+                  caps.CAP_DAC_READ_SEARCH,
+                  caps.CAP_SYS_PTRACE],
 )
diff --git a/neutron/privileged/agent/linux/ip_lib.py b/neutron/privileged/agent/linux/ip_lib.py
index 65122b32ea3..e4c58bf8929 100644
--- a/neutron/privileged/agent/linux/ip_lib.py
+++ b/neutron/privileged/agent/linux/ip_lib.py
@@ -187,6 +187,12 @@ def open_namespace(namespace):
         pass
 
 
+@privileged.default.entrypoint
+def list_ns_pids(namespace):
+    """List namespace process PIDs"""
+    return netns.ns_pids().get(namespace, [])
+
+
 def _translate_ip_device_exception(e, device=None, namespace=None):
     if e.code == errno.ENODEV:
         raise NetworkInterfaceNotFound(device=device, namespace=namespace)
diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py
index 5a4c9110bb5..4f274935448 100644
--- a/neutron/tests/common/net_helpers.py
+++ b/neutron/tests/common/net_helpers.py
@@ -585,6 +585,8 @@ class NamespaceFixture(fixtures.Fixture):
 
     def destroy(self):
         if self.ip_wrapper.netns.exists(self.name):
+            for pid in ip_lib.list_namespace_pids(self.name):
+                utils.kill_process(pid, signal.SIGKILL, run_as_root=True)
             self.ip_wrapper.netns.delete(self.name)
 
 
diff --git a/neutron/tests/functional/privileged/agent/linux/test_ip_lib.py b/neutron/tests/functional/privileged/agent/linux/test_ip_lib.py
index 6ec96a96928..32fa9a9abff 100644
--- a/neutron/tests/functional/privileged/agent/linux/test_ip_lib.py
+++ b/neutron/tests/functional/privileged/agent/linux/test_ip_lib.py
@@ -12,6 +12,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import functools
+
+import eventlet
 import netaddr
 from neutron_lib import constants as n_cons
 from oslo_utils import uuidutils
@@ -618,3 +621,35 @@ class GetLinkAttributesTestCase(functional_base.BaseSudoTestCase):
                          'alias', 'allmulticast', 'link_kind']
         attr = self.device.link.attributes
         self.assertSetEqual(set(expected_attr), set(attr.keys()))
+
+
+class ListNamespacePids(functional_base.BaseSudoTestCase):
+
+    def setUp(self):
+        super(ListNamespacePids, self).setUp()
+        self.namespace = self.useFixture(net_helpers.NamespaceFixture()).name
+
+    @staticmethod
+    def _run_sleep(namespace):
+        ip_wrapper = ip_lib.IPWrapper(namespace=namespace)
+        ip_wrapper.netns.execute(['sleep', '100'], check_exit_code=False)
+
+    def _check_pids(self, num_pids, namespace=None):
+        namespace = self.namespace if not namespace else namespace
+        self.pids = priv_ip_lib.list_ns_pids(namespace)
+        return len(self.pids) == num_pids
+
+    def test_list_namespace_pids(self):
+        eventlet.spawn_n(self._run_sleep, self.namespace)
+
+        try:
+            check_pids = functools.partial(self._check_pids, 1)
+            common_utils.wait_until_true(check_pids, timeout=5)
+        except common_utils.WaitTimeout:
+            self.fail('Process no found in namespace %s' % self.namespace)
+
+    def test_list_namespace_pids_nothing_running_inside(self):
+        self.assertTrue(self._check_pids(0))
+
+    def test_list_namespace_not_created(self):
+        self.assertTrue(self._check_pids(0, namespace='othernamespace'))