diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters index cfc38706484..33d5e575222 100644 --- a/etc/neutron/rootwrap.d/debug.filters +++ b/etc/neutron/rootwrap.d/debug.filters @@ -10,4 +10,3 @@ # "sleep" command, only for testing sleep: RegExpFilter, sleep, root, sleep, \d+ -kill_sleep: KillFilter, root, sleep, -9 diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters index d2005fcc1e3..960ec31b01f 100644 --- a/etc/neutron/rootwrap.d/dhcp.filters +++ b/etc/neutron/rootwrap.d/dhcp.filters @@ -10,19 +10,11 @@ # dhcp-agent dnsmasq: CommandFilter, dnsmasq, root -# dhcp-agent uses kill as well, that's handled by the generic KillFilter -# it looks like these are the only signals needed, per -# neutron/agent/linux/dhcp.py -kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15 -kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15 -# dnsmasq kill script filter -kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root mm-ctl: CommandFilter, mm-ctl, root # haproxy haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* -kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP # ip_lib ip: IpFilter, ip, root diff --git a/etc/neutron/rootwrap.d/dibbler.filters b/etc/neutron/rootwrap.d/dibbler.filters index 18d20782604..eea55252f35 100644 --- a/etc/neutron/rootwrap.d/dibbler.filters +++ b/etc/neutron/rootwrap.d/dibbler.filters @@ -14,8 +14,3 @@ # prefix_delegation_agent dibbler-client: CommandFilter, dibbler-client, root -kill_dibbler-client: KillFilter, root, dibbler-client, -9 -# dibbler kill script filter -kill_dibbler_script: CommandFilter, dibbler-kill, root -# dibbler-client kill script filter -kill_dibbler-client_script: CommandFilter, dibbler-client-kill, root diff --git a/etc/neutron/rootwrap.d/l3.filters b/etc/neutron/rootwrap.d/l3.filters index c7eb2ab0f56..fb00275e357 100644 --- a/etc/neutron/rootwrap.d/l3.filters +++ b/etc/neutron/rootwrap.d/l3.filters @@ -14,21 +14,11 @@ radvd: CommandFilter, radvd, root # haproxy haproxy: RegExpFilter, haproxy, root, haproxy, -f, .* -kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP -# haproxy kill script filter -kill_haproxy_script: CommandFilter, haproxy-kill, root - -kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP -kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP -kill_radvd_script: CommandFilter, radvd-kill, root # ip_lib ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root -# For ip monitor -kill_ip_monitor: KillFilter, root, ip, -9 - # iptables_manager iptables-save: CommandFilter, iptables-save, root iptables-restore: CommandFilter, iptables-restore, root @@ -37,27 +27,6 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root # Keepalived keepalived: CommandFilter, keepalived, root -kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9 -# keepalived kill script filter -kill_keepalived_script: CommandFilter, keepalived-kill, root # keepalived state change monitor keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root -# The following filters are used to kill the keepalived state change monitor. -# Since the monitor runs as a Python script, the system reports that the -# command of the process to be killed is python. -# TODO(mlavalle) These kill filters will be updated once we come up with a -# mechanism to kill using the name of the script being executed by Python -kill_keepalived_monitor_py: KillFilter, root, python, -15, -9 -kill_keepalived_monitor_py3: KillFilter, root, python3, -15, -9 -kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9 -kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9 -kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9 -# For e.g. RHEL8 neutron-keepalived-state-change is run by "system python" -# which is /usr/libexec/platform-python3.6 so this should be in filters also. -# Path /usr/libexec isn't in PATH by default so it has to be given here as -# absolute path -kill_keepalived_monitor_platform_py: KillFilter, root, /usr/libexec/platform-python, -15, -9 -kill_keepalived_monitor_platform_py36: KillFilter, root, /usr/libexec/platform-python3.6, -15, -9 -# neutron-keepalived-state-change-monitor kill script filter -kill_neutron-keepalived-state-change-monitor_script: CommandFilter, neutron-keepalived-state-change-monitor-kill, root diff --git a/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/etc/neutron/rootwrap.d/openvswitch-plugin.filters index 85ae5282547..92234424ee5 100644 --- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters +++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters @@ -11,7 +11,6 @@ # openvswitch-agent # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl ovs-ofctl: CommandFilter, ovs-ofctl, root -kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9 ovsdb-client: CommandFilter, ovsdb-client, root # ip_lib diff --git a/neutron/agent/linux/external_process.py b/neutron/agent/linux/external_process.py index 20bb089b1d2..e8437336ae8 100644 --- a/neutron/agent/linux/external_process.py +++ b/neutron/agent/linux/external_process.py @@ -98,7 +98,7 @@ class ProcessManager(MonitoredProcess): else: self.disable('HUP') - def disable(self, sig='9', get_stop_command=None, privsep_exec=False): + def disable(self, sig='9', get_stop_command=None): pid = self.pid if self.active: @@ -107,11 +107,11 @@ class ProcessManager(MonitoredProcess): ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace) ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env, run_as_root=self.run_as_root, - privsep_exec=privsep_exec) + privsep_exec=True) else: cmd = self.get_kill_cmd(sig, pid) utils.execute(cmd, run_as_root=self.run_as_root, - privsep_exec=privsep_exec) + privsep_exec=True) # In the case of shutting down, remove the pid file if sig == '9': utils.delete_if_exists(self.get_pid_file_name(), diff --git a/neutron/agent/linux/utils.py b/neutron/agent/linux/utils.py index bf2a05bc2bd..c7e39d73037 100644 --- a/neutron/agent/linux/utils.py +++ b/neutron/agent/linux/utils.py @@ -214,11 +214,11 @@ def find_fork_top_parent(pid): return pid -def kill_process(pid, signal, run_as_root=False, privsep_exec=False): +def kill_process(pid, signal, run_as_root=False): """Kill the process with the given pid using the given signal.""" try: execute(['kill', '-%d' % signal, pid], run_as_root=run_as_root, - privsep_exec=privsep_exec) + privsep_exec=True) except exceptions.ProcessExecutionError: if process_is_running(pid): raise diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py index 2ac810b1146..bff08b5ae8f 100644 --- a/neutron/tests/common/net_helpers.py +++ b/neutron/tests/common/net_helpers.py @@ -625,8 +625,7 @@ class NamespaceFixture(fixtures.Fixture): if self.ip_wrapper.netns.exists(self.name): for pid in ip_lib.list_namespace_pids(self.name): utils.kill_process(pid, signal.SIGKILL, - run_as_root=True, - privsep_exec=True) + run_as_root=True) self.ip_wrapper.netns.delete(self.name) except helpers.TestTimerTimeout: LOG.warning('Namespace %s was not deleted due to a timeout.', diff --git a/neutron/tests/unit/agent/linux/test_external_process.py b/neutron/tests/unit/agent/linux/test_external_process.py index 3f52eb8d52d..d2aa240098a 100644 --- a/neutron/tests/unit/agent/linux/test_external_process.py +++ b/neutron/tests/unit/agent/linux/test_external_process.py @@ -230,7 +230,7 @@ class TestProcessManager(base.BaseTestCase): utils.assert_has_calls([ mock.call.execute(['kill', '-9', 4], run_as_root=False, - privsep_exec=False)]) + privsep_exec=True)]) def test_disable_namespace(self): with mock.patch.object(ep.ProcessManager, 'pid') as pid: @@ -245,7 +245,7 @@ class TestProcessManager(base.BaseTestCase): utils.assert_has_calls([ mock.call.execute(['kill', '-9', 4], run_as_root=True, - privsep_exec=False)]) + privsep_exec=True)]) def test_disable_not_active(self): with mock.patch.object(ep.ProcessManager, 'pid') as pid: @@ -288,7 +288,7 @@ class TestProcessManager(base.BaseTestCase): manager.disable() utils.execute.assert_called_with( expected_cmd, run_as_root=bool(namespace), - privsep_exec=False) + privsep_exec=True) def test_disable_custom_kill_script_no_namespace(self): self._test_disable_custom_kill_script( diff --git a/neutron/tests/unit/agent/linux/test_utils.py b/neutron/tests/unit/agent/linux/test_utils.py index 4dab58292f7..4e01bb907cd 100644 --- a/neutron/tests/unit/agent/linux/test_utils.py +++ b/neutron/tests/unit/agent/linux/test_utils.py @@ -238,11 +238,10 @@ class TestKillProcess(base.BaseTestCase): side_effect=exc) as mock_execute: with mock.patch.object(utils, 'process_is_running', return_value=not pid_killed): - utils.kill_process(pid, kill_signal, run_as_root=True, - privsep_exec=False) + utils.kill_process(pid, kill_signal, run_as_root=True) mock_execute.assert_called_with(['kill', '-%d' % kill_signal, pid], - run_as_root=True, privsep_exec=False) + run_as_root=True, privsep_exec=True) def test_kill_process_returns_none_for_valid_pid(self): self._test_kill_process('1')