"ping"/"ping6" command support in rootwrap filters

To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.

Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.

Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>

Those commands could be called from inside a namespace. The needed
filter is also added in this patch.

Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006

etc/neutron/rootwrap.d/debug.filters

@@ -12,10 +12,10 @@
 # from inside a namespace which requires root
 # _alt variants allow to match -c and -w in any order
 #   (used by NeutronDebugAgent.ping_all)
-ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ping: CommandFilter, ping, root
-ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
+ping6: CommandFilter, ping6, root
-ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+ping_exec: IpNetnsExecFilter, ping, root
-ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
+ping6_exec: IpNetnsExecFilter, ping6, root
 
 # "sleep" command, only for testing
 sleep: RegExpFilter, sleep, root, sleep, \d+

neutron/tests/common/net_helpers.py

@@ -111,7 +111,7 @@ def assert_ping(src_namespace, dst_ip, timeout=1, count=3):
     ipversion = netaddr.IPAddress(dst_ip).version
     ping_command = 'ping' if ipversion == 4 else 'ping6'
     ns_ip_wrapper = ip_lib.IPWrapper(src_namespace)
-    ns_ip_wrapper.netns.execute([ping_command, '-c', count, '-W', timeout,
+    ns_ip_wrapper.netns.execute([ping_command, '-W', timeout, '-c', count,
                                  dst_ip])
 
 
@@ -124,7 +124,7 @@ def assert_async_ping(src_namespace, dst_ip, timeout=1, count=1, interval=1):
     # cannot be used and it needs to be done using the following workaround.
     for _index in range(count):
         start_time = time.time()
-        ns_ip_wrapper.netns.execute([ping_command, '-c', '1', '-W', timeout,
+        ns_ip_wrapper.netns.execute([ping_command, '-W', timeout, '-c', '1',
                                      dst_ip])
         end_time = time.time()
         diff = end_time - start_time
@@ -416,11 +416,12 @@ class Pinger(object):
             raise RuntimeError("This pinger has already a running process")
         ip_version = common_utils.get_ip_version(self.address)
         ping_exec = 'ping' if ip_version == n_const.IP_VERSION_4 else 'ping6'
-        cmd = [ping_exec, self.address, '-W', str(self.timeout)]
+        cmd = [ping_exec, '-W', str(self.timeout)]
         if self.count:
             cmd.extend(['-c', str(self.count)])
         if self.interval:
             cmd.extend(['-i', str(self.interval)])
+        cmd.append(self.address)
         self.proc = RootHelperProcess(cmd, namespace=self.namespace)
 
     def stop(self):

neutron/tests/functional/agent/l3/test_legacy_router.py

@@ -320,7 +320,7 @@ class L3AgentTestCase(framework.L3AgentTestFramework):
         # Verify that the ping replys with fip
         ns_ip_wrapper = ip_lib.IPWrapper(src_machine.namespace)
         result = ns_ip_wrapper.netns.execute(
-            ['ping', '-c', 1, '-W', 5, dst_fip])
+            ['ping', '-W', 5, '-c', 1, dst_fip])
         self._assert_ping_reply_from_expected_address(result, dst_fip)
 
     def _setup_address_scope(self, internal_address_scope1,