Remove rootwrap execution (6)

Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates the "kill_process" method to privsep and removes the unneeded rootwrap filters. Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf Story: #2007686 Task: #41558
2021-03-03 16:26:20 +00:00 · 2021-03-03 16:26:20 +00:00 · ee00bddce7
commit ee00bddce7
parent cbe02a8f09
10 changed files with 11 additions and 59 deletions
--- a/etc/neutron/rootwrap.d/debug.filters
+++ b/etc/neutron/rootwrap.d/debug.filters
@ -10,4 +10,3 @@

 # "sleep" command, only for testing
 sleep: RegExpFilter, sleep, root, sleep, \d+
-kill_sleep: KillFilter, root, sleep, -9
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@ -10,19 +10,11 @@

 # dhcp-agent
 dnsmasq: CommandFilter, dnsmasq, root
-# dhcp-agent uses kill as well, that's handled by the generic KillFilter
-# it looks like these are the only signals needed, per
-# neutron/agent/linux/dhcp.py
-kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
-kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
-# dnsmasq kill script filter
-kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root

 mm-ctl: CommandFilter, mm-ctl, root

 # haproxy
 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
-kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP

 # ip_lib
 ip: IpFilter, ip, root
--- a/etc/neutron/rootwrap.d/dibbler.filters
+++ b/etc/neutron/rootwrap.d/dibbler.filters
@ -14,8 +14,3 @@

 # prefix_delegation_agent
 dibbler-client: CommandFilter, dibbler-client, root
-kill_dibbler-client: KillFilter, root, dibbler-client, -9
-# dibbler kill script filter
-kill_dibbler_script: CommandFilter, dibbler-kill, root
-# dibbler-client kill script filter
-kill_dibbler-client_script: CommandFilter, dibbler-client-kill, root
--- a/etc/neutron/rootwrap.d/l3.filters
+++ b/etc/neutron/rootwrap.d/l3.filters
@ -14,21 +14,11 @@ radvd: CommandFilter, radvd, root

 # haproxy
 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
-kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
-# haproxy kill script filter
-kill_haproxy_script: CommandFilter, haproxy-kill, root
-
-kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
-kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
-kill_radvd_script: CommandFilter, radvd-kill, root

 # ip_lib
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root

-# For ip monitor
-kill_ip_monitor: KillFilter, root, ip, -9
-
 # iptables_manager
 iptables-save: CommandFilter, iptables-save, root
 iptables-restore: CommandFilter, iptables-restore, root
@ -37,27 +27,6 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root

 # Keepalived
 keepalived: CommandFilter, keepalived, root
-kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
-# keepalived kill script filter
-kill_keepalived_script: CommandFilter, keepalived-kill, root

 # keepalived state change monitor
 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
-# The following filters are used to kill the keepalived state change monitor.
-# Since the monitor runs as a Python script, the system reports that the
-# command of the process to be killed is python.
-# TODO(mlavalle) These kill filters will be updated once we come up with a
-# mechanism to kill using the name of the script being executed by Python
-kill_keepalived_monitor_py: KillFilter, root, python, -15, -9
-kill_keepalived_monitor_py3: KillFilter, root, python3, -15, -9
-kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9
-kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9
-kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9
-# For e.g. RHEL8 neutron-keepalived-state-change is run by "system python"
-# which is /usr/libexec/platform-python3.6 so this should be in filters also.
-# Path /usr/libexec isn't in PATH by default so it has to be given here as
-# absolute path
-kill_keepalived_monitor_platform_py: KillFilter, root, /usr/libexec/platform-python, -15, -9
-kill_keepalived_monitor_platform_py36: KillFilter, root, /usr/libexec/platform-python3.6, -15, -9
-# neutron-keepalived-state-change-monitor kill script filter
-kill_neutron-keepalived-state-change-monitor_script: CommandFilter, neutron-keepalived-state-change-monitor-kill, root
--- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters
+++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters
@ -11,7 +11,6 @@
 # openvswitch-agent
 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
 ovs-ofctl: CommandFilter, ovs-ofctl, root
-kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
 ovsdb-client: CommandFilter, ovsdb-client, root

 # ip_lib
--- a/neutron/agent/linux/external_process.py
+++ b/neutron/agent/linux/external_process.py
@ -98,7 +98,7 @@ class ProcessManager(MonitoredProcess):
        else:
            self.disable('HUP')

-    def disable(self, sig='9', get_stop_command=None, privsep_exec=False):
+    def disable(self, sig='9', get_stop_command=None):
        pid = self.pid

        if self.active:
@ -107,11 +107,11 @@ class ProcessManager(MonitoredProcess):
                ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
                ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env,
                                         run_as_root=self.run_as_root,
-                                         privsep_exec=privsep_exec)
+                                         privsep_exec=True)
            else:
                cmd = self.get_kill_cmd(sig, pid)
                utils.execute(cmd, run_as_root=self.run_as_root,
-                              privsep_exec=privsep_exec)
+                              privsep_exec=True)
                # In the case of shutting down, remove the pid file
                if sig == '9':
                    utils.delete_if_exists(self.get_pid_file_name(),
--- a/neutron/agent/linux/utils.py
+++ b/neutron/agent/linux/utils.py
@ -214,11 +214,11 @@ def find_fork_top_parent(pid):
            return pid


-def kill_process(pid, signal, run_as_root=False, privsep_exec=False):
+def kill_process(pid, signal, run_as_root=False):
    """Kill the process with the given pid using the given signal."""
    try:
        execute(['kill', '-%d' % signal, pid], run_as_root=run_as_root,
-                privsep_exec=privsep_exec)
+                privsep_exec=True)
    except exceptions.ProcessExecutionError:
        if process_is_running(pid):
            raise
--- a/neutron/tests/common/net_helpers.py
+++ b/neutron/tests/common/net_helpers.py
@ -625,8 +625,7 @@ class NamespaceFixture(fixtures.Fixture):
                if self.ip_wrapper.netns.exists(self.name):
                    for pid in ip_lib.list_namespace_pids(self.name):
                        utils.kill_process(pid, signal.SIGKILL,
-                                           run_as_root=True,
-                                           privsep_exec=True)
+                                           run_as_root=True)
                    self.ip_wrapper.netns.delete(self.name)
            except helpers.TestTimerTimeout:
                LOG.warning('Namespace %s was not deleted due to a timeout.',
--- a/neutron/tests/unit/agent/linux/test_external_process.py
+++ b/neutron/tests/unit/agent/linux/test_external_process.py
@ -230,7 +230,7 @@ class TestProcessManager(base.BaseTestCase):
                    utils.assert_has_calls([
                        mock.call.execute(['kill', '-9', 4],
                                          run_as_root=False,
-                                          privsep_exec=False)])
+                                          privsep_exec=True)])

    def test_disable_namespace(self):
        with mock.patch.object(ep.ProcessManager, 'pid') as pid:
@ -245,7 +245,7 @@ class TestProcessManager(base.BaseTestCase):
                    utils.assert_has_calls([
                        mock.call.execute(['kill', '-9', 4],
                                          run_as_root=True,
-                                          privsep_exec=False)])
+                                          privsep_exec=True)])

    def test_disable_not_active(self):
        with mock.patch.object(ep.ProcessManager, 'pid') as pid:
@ -288,7 +288,7 @@ class TestProcessManager(base.BaseTestCase):
                    manager.disable()
                    utils.execute.assert_called_with(
                        expected_cmd, run_as_root=bool(namespace),
-                        privsep_exec=False)
+                        privsep_exec=True)

    def test_disable_custom_kill_script_no_namespace(self):
        self._test_disable_custom_kill_script(
--- a/neutron/tests/unit/agent/linux/test_utils.py
+++ b/neutron/tests/unit/agent/linux/test_utils.py
@ -238,11 +238,10 @@ class TestKillProcess(base.BaseTestCase):
                               side_effect=exc) as mock_execute:
            with mock.patch.object(utils, 'process_is_running',
                                   return_value=not pid_killed):
-                utils.kill_process(pid, kill_signal, run_as_root=True,
-                                   privsep_exec=False)
+                utils.kill_process(pid, kill_signal, run_as_root=True)

        mock_execute.assert_called_with(['kill', '-%d' % kill_signal, pid],
-                                        run_as_root=True, privsep_exec=False)
+                                        run_as_root=True, privsep_exec=True)

    def test_kill_process_returns_none_for_valid_pid(self):
        self._test_kill_process('1')