Remove rootwrap execution (6)

Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates the "kill_process" method to privsep and
removes the unneeded rootwrap filters.

Change-Id: I48461be8b08cbc21c8af371f551b944343ba37bf
Story: #2007686
Task: #41558
This commit is contained in:
Rodolfo Alonso Hernandez 2021-03-03 16:26:20 +00:00
parent cbe02a8f09
commit ee00bddce7
10 changed files with 11 additions and 59 deletions

View File

@ -10,4 +10,3 @@
# "sleep" command, only for testing
sleep: RegExpFilter, sleep, root, sleep, \d+
kill_sleep: KillFilter, root, sleep, -9

View File

@ -10,19 +10,11 @@
# dhcp-agent
dnsmasq: CommandFilter, dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
# it looks like these are the only signals needed, per
# neutron/agent/linux/dhcp.py
kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
# dnsmasq kill script filter
kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root
mm-ctl: CommandFilter, mm-ctl, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# ip_lib
ip: IpFilter, ip, root

View File

@ -14,8 +14,3 @@
# prefix_delegation_agent
dibbler-client: CommandFilter, dibbler-client, root
kill_dibbler-client: KillFilter, root, dibbler-client, -9
# dibbler kill script filter
kill_dibbler_script: CommandFilter, dibbler-kill, root
# dibbler-client kill script filter
kill_dibbler-client_script: CommandFilter, dibbler-client-kill, root

View File

@ -14,21 +14,11 @@ radvd: CommandFilter, radvd, root
# haproxy
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
# haproxy kill script filter
kill_haproxy_script: CommandFilter, haproxy-kill, root
kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
kill_radvd_script: CommandFilter, radvd-kill, root
# ip_lib
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
# For ip monitor
kill_ip_monitor: KillFilter, root, ip, -9
# iptables_manager
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
@ -37,27 +27,6 @@ ip6tables-restore: CommandFilter, ip6tables-restore, root
# Keepalived
keepalived: CommandFilter, keepalived, root
kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
# keepalived kill script filter
kill_keepalived_script: CommandFilter, keepalived-kill, root
# keepalived state change monitor
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
# The following filters are used to kill the keepalived state change monitor.
# Since the monitor runs as a Python script, the system reports that the
# command of the process to be killed is python.
# TODO(mlavalle) These kill filters will be updated once we come up with a
# mechanism to kill using the name of the script being executed by Python
kill_keepalived_monitor_py: KillFilter, root, python, -15, -9
kill_keepalived_monitor_py3: KillFilter, root, python3, -15, -9
kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9
kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9
kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9
# For e.g. RHEL8 neutron-keepalived-state-change is run by "system python"
# which is /usr/libexec/platform-python3.6 so this should be in filters also.
# Path /usr/libexec isn't in PATH by default so it has to be given here as
# absolute path
kill_keepalived_monitor_platform_py: KillFilter, root, /usr/libexec/platform-python, -15, -9
kill_keepalived_monitor_platform_py36: KillFilter, root, /usr/libexec/platform-python3.6, -15, -9
# neutron-keepalived-state-change-monitor kill script filter
kill_neutron-keepalived-state-change-monitor_script: CommandFilter, neutron-keepalived-state-change-monitor-kill, root

View File

@ -11,7 +11,6 @@
# openvswitch-agent
# NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
ovs-ofctl: CommandFilter, ovs-ofctl, root
kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
ovsdb-client: CommandFilter, ovsdb-client, root
# ip_lib

View File

@ -98,7 +98,7 @@ class ProcessManager(MonitoredProcess):
else:
self.disable('HUP')
def disable(self, sig='9', get_stop_command=None, privsep_exec=False):
def disable(self, sig='9', get_stop_command=None):
pid = self.pid
if self.active:
@ -107,11 +107,11 @@ class ProcessManager(MonitoredProcess):
ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env,
run_as_root=self.run_as_root,
privsep_exec=privsep_exec)
privsep_exec=True)
else:
cmd = self.get_kill_cmd(sig, pid)
utils.execute(cmd, run_as_root=self.run_as_root,
privsep_exec=privsep_exec)
privsep_exec=True)
# In the case of shutting down, remove the pid file
if sig == '9':
utils.delete_if_exists(self.get_pid_file_name(),

View File

@ -214,11 +214,11 @@ def find_fork_top_parent(pid):
return pid
def kill_process(pid, signal, run_as_root=False, privsep_exec=False):
def kill_process(pid, signal, run_as_root=False):
"""Kill the process with the given pid using the given signal."""
try:
execute(['kill', '-%d' % signal, pid], run_as_root=run_as_root,
privsep_exec=privsep_exec)
privsep_exec=True)
except exceptions.ProcessExecutionError:
if process_is_running(pid):
raise

View File

@ -625,8 +625,7 @@ class NamespaceFixture(fixtures.Fixture):
if self.ip_wrapper.netns.exists(self.name):
for pid in ip_lib.list_namespace_pids(self.name):
utils.kill_process(pid, signal.SIGKILL,
run_as_root=True,
privsep_exec=True)
run_as_root=True)
self.ip_wrapper.netns.delete(self.name)
except helpers.TestTimerTimeout:
LOG.warning('Namespace %s was not deleted due to a timeout.',

View File

@ -230,7 +230,7 @@ class TestProcessManager(base.BaseTestCase):
utils.assert_has_calls([
mock.call.execute(['kill', '-9', 4],
run_as_root=False,
privsep_exec=False)])
privsep_exec=True)])
def test_disable_namespace(self):
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
@ -245,7 +245,7 @@ class TestProcessManager(base.BaseTestCase):
utils.assert_has_calls([
mock.call.execute(['kill', '-9', 4],
run_as_root=True,
privsep_exec=False)])
privsep_exec=True)])
def test_disable_not_active(self):
with mock.patch.object(ep.ProcessManager, 'pid') as pid:
@ -288,7 +288,7 @@ class TestProcessManager(base.BaseTestCase):
manager.disable()
utils.execute.assert_called_with(
expected_cmd, run_as_root=bool(namespace),
privsep_exec=False)
privsep_exec=True)
def test_disable_custom_kill_script_no_namespace(self):
self._test_disable_custom_kill_script(

View File

@ -238,11 +238,10 @@ class TestKillProcess(base.BaseTestCase):
side_effect=exc) as mock_execute:
with mock.patch.object(utils, 'process_is_running',
return_value=not pid_killed):
utils.kill_process(pid, kill_signal, run_as_root=True,
privsep_exec=False)
utils.kill_process(pid, kill_signal, run_as_root=True)
mock_execute.assert_called_with(['kill', '-%d' % kill_signal, pid],
run_as_root=True, privsep_exec=False)
run_as_root=True, privsep_exec=True)
def test_kill_process_returns_none_for_valid_pid(self):
self._test_kill_process('1')