0df884ac93
This patch introduces support for rootwrap daemon mode. It adds a new config option, AGENT.root_helper_daemon with no default. To enable, set to something like: root_helper_daemon = sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf The patch currently assumes that the root_helper_daemon value, and specifically the rootwrap config, will not change once calls to execute() happen. While it would not be hard to generate a rootwrap daemon client for each new config, I couldn't think of a legitimate reason to support it and left it out as YAGNI. This patch does change the behavior of the addl_env argument to create_process and execute. Previously, an environment dict would be passed to Popen. If a root helper was used, this environemnt would actually be passed to 'sudo' which would filter it before passing it to the underlying command. In the case of daemon mode, this would cause a problem as the enviornment is filtered by sudo only once, at daemon startup. Any environment variables added at execute time would then just be passed directly to the underyling command unfiltered. oslo.rootwrap 1.6.0 fixes this issue by denying the passing of environment variables to the daemon altogether. Instead, anything using rootwrap and needing to pass additional environment variables should define an EnvFilter and run the command with env var=val cmd. utils.execute/create_process have been modified to run code in this way (which netns.execute already did). No code in neutron currently uses both run_as_root=True and addl_env, so this change does not require any change in code or filters. DocImpact Implements: blueprint rootwrap-daemon-mode Change-Id: I567334bb611253c7b9d830d50c5be308a5153baf