Remove rootwrap execution (6)
Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates the "kill_process" method to privsep and removes the unneeded rootwrap filters. Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf Story: #2007686 Task: #41558
This commit is contained in:
parent
cbe02a8f09
commit
ee00bddce7
|
@ -10,4 +10,3 @@
|
||||||
|
|
||||||
# "sleep" command, only for testing
|
# "sleep" command, only for testing
|
||||||
sleep: RegExpFilter, sleep, root, sleep, \d+
|
sleep: RegExpFilter, sleep, root, sleep, \d+
|
||||||
kill_sleep: KillFilter, root, sleep, -9
|
|
||||||
|
|
|
@ -10,19 +10,11 @@
|
||||||
|
|
||||||
# dhcp-agent
|
# dhcp-agent
|
||||||
dnsmasq: CommandFilter, dnsmasq, root
|
dnsmasq: CommandFilter, dnsmasq, root
|
||||||
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
|
|
||||||
# it looks like these are the only signals needed, per
|
|
||||||
# neutron/agent/linux/dhcp.py
|
|
||||||
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
|
|
||||||
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
|
|
||||||
# dnsmasq kill script filter
|
|
||||||
kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root
|
|
||||||
|
|
||||||
mm-ctl: CommandFilter, mm-ctl, root
|
mm-ctl: CommandFilter, mm-ctl, root
|
||||||
|
|
||||||
# haproxy
|
# haproxy
|
||||||
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
||||||
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
|
|
||||||
|
|
||||||
# ip_lib
|
# ip_lib
|
||||||
ip: IpFilter, ip, root
|
ip: IpFilter, ip, root
|
||||||
|
|
|
@ -14,8 +14,3 @@
|
||||||
|
|
||||||
# prefix_delegation_agent
|
# prefix_delegation_agent
|
||||||
dibbler-client: CommandFilter, dibbler-client, root
|
dibbler-client: CommandFilter, dibbler-client, root
|
||||||
kill_dibbler-client: KillFilter, root, dibbler-client, -9
|
|
||||||
# dibbler kill script filter
|
|
||||||
kill_dibbler_script: CommandFilter, dibbler-kill, root
|
|
||||||
# dibbler-client kill script filter
|
|
||||||
kill_dibbler-client_script: CommandFilter, dibbler-client-kill, root
|
|
||||||
|
|
|
@ -14,21 +14,11 @@ radvd: CommandFilter, radvd, root
|
||||||
|
|
||||||
# haproxy
|
# haproxy
|
||||||
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
||||||
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
|
|
||||||
# haproxy kill script filter
|
|
||||||
kill_haproxy_script: CommandFilter, haproxy-kill, root
|
|
||||||
|
|
||||||
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
|
|
||||||
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
|
|
||||||
kill_radvd_script: CommandFilter, radvd-kill, root
|
|
||||||
|
|
||||||
# ip_lib
|
# ip_lib
|
||||||
ip: IpFilter, ip, root
|
ip: IpFilter, ip, root
|
||||||
ip_exec: IpNetnsExecFilter, ip, root
|
ip_exec: IpNetnsExecFilter, ip, root
|
||||||
|
|
||||||
# For ip monitor
|
|
||||||
kill_ip_monitor: KillFilter, root, ip, -9
|
|
||||||
|
|
||||||
# iptables_manager
|
# iptables_manager
|
||||||
iptables-save: CommandFilter, iptables-save, root
|
iptables-save: CommandFilter, iptables-save, root
|
||||||
iptables-restore: CommandFilter, iptables-restore, root
|
iptables-restore: CommandFilter, iptables-restore, root
|
||||||
|
@ -37,27 +27,6 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||||
|
|
||||||
# Keepalived
|
# Keepalived
|
||||||
keepalived: CommandFilter, keepalived, root
|
keepalived: CommandFilter, keepalived, root
|
||||||
kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
|
|
||||||
# keepalived kill script filter
|
|
||||||
kill_keepalived_script: CommandFilter, keepalived-kill, root
|
|
||||||
|
|
||||||
# keepalived state change monitor
|
# keepalived state change monitor
|
||||||
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
||||||
# The following filters are used to kill the keepalived state change monitor.
|
|
||||||
# Since the monitor runs as a Python script, the system reports that the
|
|
||||||
# command of the process to be killed is python.
|
|
||||||
# TODO(mlavalle) These kill filters will be updated once we come up with a
|
|
||||||
# mechanism to kill using the name of the script being executed by Python
|
|
||||||
kill_keepalived_monitor_py: KillFilter, root, python, -15, -9
|
|
||||||
kill_keepalived_monitor_py3: KillFilter, root, python3, -15, -9
|
|
||||||
kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9
|
|
||||||
kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9
|
|
||||||
kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9
|
|
||||||
# For e.g. RHEL8 neutron-keepalived-state-change is run by "system python"
|
|
||||||
# which is /usr/libexec/platform-python3.6 so this should be in filters also.
|
|
||||||
# Path /usr/libexec isn't in PATH by default so it has to be given here as
|
|
||||||
# absolute path
|
|
||||||
kill_keepalived_monitor_platform_py: KillFilter, root, /usr/libexec/platform-python, -15, -9
|
|
||||||
kill_keepalived_monitor_platform_py36: KillFilter, root, /usr/libexec/platform-python3.6, -15, -9
|
|
||||||
# neutron-keepalived-state-change-monitor kill script filter
|
|
||||||
kill_neutron-keepalived-state-change-monitor_script: CommandFilter, neutron-keepalived-state-change-monitor-kill, root
|
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
# openvswitch-agent
|
# openvswitch-agent
|
||||||
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
|
||||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||||
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
|
|
||||||
ovsdb-client: CommandFilter, ovsdb-client, root
|
ovsdb-client: CommandFilter, ovsdb-client, root
|
||||||
|
|
||||||
# ip_lib
|
# ip_lib
|
||||||
|
|
|
@ -98,7 +98,7 @@ class ProcessManager(MonitoredProcess):
|
||||||
else:
|
else:
|
||||||
self.disable('HUP')
|
self.disable('HUP')
|
||||||
|
|
||||||
def disable(self, sig='9', get_stop_command=None, privsep_exec=False):
|
def disable(self, sig='9', get_stop_command=None):
|
||||||
pid = self.pid
|
pid = self.pid
|
||||||
|
|
||||||
if self.active:
|
if self.active:
|
||||||
|
@ -107,11 +107,11 @@ class ProcessManager(MonitoredProcess):
|
||||||
ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
|
ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
|
||||||
ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env,
|
ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env,
|
||||||
run_as_root=self.run_as_root,
|
run_as_root=self.run_as_root,
|
||||||
privsep_exec=privsep_exec)
|
privsep_exec=True)
|
||||||
else:
|
else:
|
||||||
cmd = self.get_kill_cmd(sig, pid)
|
cmd = self.get_kill_cmd(sig, pid)
|
||||||
utils.execute(cmd, run_as_root=self.run_as_root,
|
utils.execute(cmd, run_as_root=self.run_as_root,
|
||||||
privsep_exec=privsep_exec)
|
privsep_exec=True)
|
||||||
# In the case of shutting down, remove the pid file
|
# In the case of shutting down, remove the pid file
|
||||||
if sig == '9':
|
if sig == '9':
|
||||||
utils.delete_if_exists(self.get_pid_file_name(),
|
utils.delete_if_exists(self.get_pid_file_name(),
|
||||||
|
|
|
@ -214,11 +214,11 @@ def find_fork_top_parent(pid):
|
||||||
return pid
|
return pid
|
||||||
|
|
||||||
|
|
||||||
def kill_process(pid, signal, run_as_root=False, privsep_exec=False):
|
def kill_process(pid, signal, run_as_root=False):
|
||||||
"""Kill the process with the given pid using the given signal."""
|
"""Kill the process with the given pid using the given signal."""
|
||||||
try:
|
try:
|
||||||
execute(['kill', '-%d' % signal, pid], run_as_root=run_as_root,
|
execute(['kill', '-%d' % signal, pid], run_as_root=run_as_root,
|
||||||
privsep_exec=privsep_exec)
|
privsep_exec=True)
|
||||||
except exceptions.ProcessExecutionError:
|
except exceptions.ProcessExecutionError:
|
||||||
if process_is_running(pid):
|
if process_is_running(pid):
|
||||||
raise
|
raise
|
||||||
|
|
|
@ -625,8 +625,7 @@ class NamespaceFixture(fixtures.Fixture):
|
||||||
if self.ip_wrapper.netns.exists(self.name):
|
if self.ip_wrapper.netns.exists(self.name):
|
||||||
for pid in ip_lib.list_namespace_pids(self.name):
|
for pid in ip_lib.list_namespace_pids(self.name):
|
||||||
utils.kill_process(pid, signal.SIGKILL,
|
utils.kill_process(pid, signal.SIGKILL,
|
||||||
run_as_root=True,
|
run_as_root=True)
|
||||||
privsep_exec=True)
|
|
||||||
self.ip_wrapper.netns.delete(self.name)
|
self.ip_wrapper.netns.delete(self.name)
|
||||||
except helpers.TestTimerTimeout:
|
except helpers.TestTimerTimeout:
|
||||||
LOG.warning('Namespace %s was not deleted due to a timeout.',
|
LOG.warning('Namespace %s was not deleted due to a timeout.',
|
||||||
|
|
|
@ -230,7 +230,7 @@ class TestProcessManager(base.BaseTestCase):
|
||||||
utils.assert_has_calls([
|
utils.assert_has_calls([
|
||||||
mock.call.execute(['kill', '-9', 4],
|
mock.call.execute(['kill', '-9', 4],
|
||||||
run_as_root=False,
|
run_as_root=False,
|
||||||
privsep_exec=False)])
|
privsep_exec=True)])
|
||||||
|
|
||||||
def test_disable_namespace(self):
|
def test_disable_namespace(self):
|
||||||
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
|
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
|
||||||
|
@ -245,7 +245,7 @@ class TestProcessManager(base.BaseTestCase):
|
||||||
utils.assert_has_calls([
|
utils.assert_has_calls([
|
||||||
mock.call.execute(['kill', '-9', 4],
|
mock.call.execute(['kill', '-9', 4],
|
||||||
run_as_root=True,
|
run_as_root=True,
|
||||||
privsep_exec=False)])
|
privsep_exec=True)])
|
||||||
|
|
||||||
def test_disable_not_active(self):
|
def test_disable_not_active(self):
|
||||||
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
|
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
|
||||||
|
@ -288,7 +288,7 @@ class TestProcessManager(base.BaseTestCase):
|
||||||
manager.disable()
|
manager.disable()
|
||||||
utils.execute.assert_called_with(
|
utils.execute.assert_called_with(
|
||||||
expected_cmd, run_as_root=bool(namespace),
|
expected_cmd, run_as_root=bool(namespace),
|
||||||
privsep_exec=False)
|
privsep_exec=True)
|
||||||
|
|
||||||
def test_disable_custom_kill_script_no_namespace(self):
|
def test_disable_custom_kill_script_no_namespace(self):
|
||||||
self._test_disable_custom_kill_script(
|
self._test_disable_custom_kill_script(
|
||||||
|
|
|
@ -238,11 +238,10 @@ class TestKillProcess(base.BaseTestCase):
|
||||||
side_effect=exc) as mock_execute:
|
side_effect=exc) as mock_execute:
|
||||||
with mock.patch.object(utils, 'process_is_running',
|
with mock.patch.object(utils, 'process_is_running',
|
||||||
return_value=not pid_killed):
|
return_value=not pid_killed):
|
||||||
utils.kill_process(pid, kill_signal, run_as_root=True,
|
utils.kill_process(pid, kill_signal, run_as_root=True)
|
||||||
privsep_exec=False)
|
|
||||||
|
|
||||||
mock_execute.assert_called_with(['kill', '-%d' % kill_signal, pid],
|
mock_execute.assert_called_with(['kill', '-%d' % kill_signal, pid],
|
||||||
run_as_root=True, privsep_exec=False)
|
run_as_root=True, privsep_exec=True)
|
||||||
|
|
||||||
def test_kill_process_returns_none_for_valid_pid(self):
|
def test_kill_process_returns_none_for_valid_pid(self):
|
||||||
self._test_kill_process('1')
|
self._test_kill_process('1')
|
||||||
|
|
Loading…
Reference in New Issue