Move contrail vif plugging to privsep.

The same pattern as the others, except with a generated command line. Change-Id: Icfbe3566d8cb82e6878ab4097ed747b18fd5e28a blueprint: hurrah-for-privsep
2017-10-26 21:03:50 +11:00
parent 541415933b
commit 2b75745179
5 changed files with 41 additions and 56 deletions
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@ -46,9 +46,6 @@ ovs-vsctl: CommandFilter, ovs-vsctl, root
 # nova/network/linux_net.py: 'ivs-ctl', ....
 ivs-ctl: CommandFilter, ivs-ctl, root

-# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
-vrouter-port-control: CommandFilter, vrouter-port-control, root
-
 # nova/network/linux_net.py: 'ovs-ofctl', ....
 ovs-ofctl: CommandFilter, ovs-ofctl, root

--- a/nova/privsep/libvirt.py
+++ b/nova/privsep/libvirt.py
@ -255,6 +255,25 @@ def unplug_plumgrid_vif(dev):
    processutils.execute('ifc_ctl', 'gateway', 'del_port', dev)


+@nova.privsep.sys_admin_pctxt.entrypoint
+def plug_contrail_vif(instance, vif, ip_addr, ip6_addr, ptype):
+    cmd_args = ('--oper=add --uuid=%s --instance_uuid=%s --vn_uuid=%s '
+                '--vm_project_uuid=%s --ip_address=%s --ipv6_address=%s'
+                ' --vm_name=%s --mac=%s --tap_name=%s --port_type=%s '
+                '--tx_vlan_id=%d --rx_vlan_id=%d'
+                % (vif['id'], instance.uuid, vif['network']['id'],
+                   instance.project_id, ip_addr, ip6_addr,
+                   instance.display_name, vif['address'],
+                   vif['devname'], ptype, -1, -1))
+    processutils.execute('vrouter-port-control', cmd_args)
+
+
+@nova.privsep.sys_admin_pctxt.entrypoint
+def unplug_contrail_vif(vif):
+    cmd_args = ('--oper=delete --uuid=%s' % (vif['id']))
+    processutils.execute('vrouter-port-control', cmd_args)
+
+
@nova.privsep.sys_admin_pctxt.entrypoint
 def disable_multicast_snooping(interface):
    """Disable multicast snooping for a bridge."""
--- a/nova/tests/unit/virt/libvirt/test_vif.py
+++ b/nova/tests/unit/virt/libvirt/test_vif.py
@ -1039,16 +1039,14 @@ class LibvirtVifTestCase(test.NoDBTestCase):
                       self.vif_iovisor['network']['id'],
                       self.instance.project_id)])

-    def test_unplug_vrouter_with_details(self):
+    @mock.patch('nova.privsep.libvirt.unplug_contrail_vif')
+    def test_unplug_vrouter_with_details(self, mock_unplug_contrail):
        d = vif.LibvirtGenericVIFDriver()
-        with mock.patch.object(utils, 'execute') as execute:
-            d.unplug(self.instance, self.vif_vrouter)
-            execute.assert_called_once_with(
-                'vrouter-port-control',
-                '--oper=delete --uuid=vif-xxx-yyy-zzz',
-                run_as_root=True)
+        d.unplug(self.instance, self.vif_vrouter)
+        mock_unplug_contrail.assert_called_once_with(self.vif_vrouter)

-    def test_plug_vrouter_with_details(self):
+    @mock.patch('nova.privsep.libvirt.plug_contrail_vif')
+    def test_plug_vrouter_with_details(self, mock_plug_contrail):
        d = vif.LibvirtGenericVIFDriver()
        instance = mock.Mock()
        instance.name = 'instance-name'
@ -1062,23 +1060,14 @@ class LibvirtVifTestCase(test.NoDBTestCase):
                mock.call('ip', 'tuntap', 'add', 'tap-xxx-yyy-zzz', 'mode',
                    'tap', run_as_root=True, check_exit_code=[0, 2, 254]),
                mock.call('ip', 'link', 'set', 'tap-xxx-yyy-zzz', 'up',
-                    run_as_root=True, check_exit_code=[0, 2, 254]),
-                mock.call('vrouter-port-control',
-                    '--oper=add --uuid=vif-xxx-yyy-zzz '
-                    '--instance_uuid=46a4308b-e75a-4f90-a34a-650c86ca18b2 '
-                    '--vn_uuid=network-id-xxx-yyy-zzz '
-                    '--vm_project_uuid=b168ea26fa0c49c1a84e1566d9565fa5 '
-                    '--ip_address=0.0.0.0 '
-                    '--ipv6_address=None '
-                    '--vm_name=instance1 '
-                    '--mac=ca:fe:de:ad:be:ef '
-                    '--tap_name=tap-xxx-yyy-zzz '
-                    '--port_type=NovaVMPort '
-                    '--tx_vlan_id=-1 '
-                    '--rx_vlan_id=-1', run_as_root=True)])
+                    run_as_root=True, check_exit_code=[0, 2, 254])])
+            mock_plug_contrail.called_once_with(
+               instance, self.vif_vrouter, '0.0.0.0', None, 'NovaVMPort')

    @mock.patch('nova.network.linux_net.create_tap_dev')
-    def test_plug_vrouter_with_details_multiqueue(self, mock_create_tap_dev):
+    @mock.patch('nova.privsep.libvirt.plug_contrail_vif')
+    def test_plug_vrouter_with_details_multiqueue(
+            self, mock_plug_contrail, mock_create_tap_dev):
        d = vif.LibvirtGenericVIFDriver()
        instance = mock.Mock()
        instance.name = 'instance-name'
@ -1088,24 +1077,12 @@ class LibvirtVifTestCase(test.NoDBTestCase):
        instance.image_meta = objects.ImageMeta.from_dict({
            'properties': {'hw_vif_multiqueue_enabled': True}})
        instance.flavor.vcpus = 2
-        with mock.patch.object(utils, 'execute') as execute:
-            d.plug(instance, self.vif_vrouter)
-            mock_create_tap_dev.assert_called_once_with('tap-xxx-yyy-zzz',
-                                                        multiqueue=True)
-            execute.assert_called_once_with(
-                'vrouter-port-control',
-                '--oper=add --uuid=vif-xxx-yyy-zzz '
-                '--instance_uuid=46a4308b-e75a-4f90-a34a-650c86ca18b2 '
-                '--vn_uuid=network-id-xxx-yyy-zzz '
-                '--vm_project_uuid=b168ea26fa0c49c1a84e1566d9565fa5 '
-                '--ip_address=0.0.0.0 '
-                '--ipv6_address=None '
-                '--vm_name=instance1 '
-                '--mac=ca:fe:de:ad:be:ef '
-                '--tap_name=tap-xxx-yyy-zzz '
-                '--port_type=NovaVMPort '
-                '--tx_vlan_id=-1 '
-                '--rx_vlan_id=-1', run_as_root=True)
+        d.plug(instance, self.vif_vrouter)
+        mock_create_tap_dev.assert_called_once_with('tap-xxx-yyy-zzz',
+                                                    multiqueue=True)
+
+        mock_plug_contrail.assert_called_once_with(
+            instance, self.vif_vrouter, '0.0.0.0', None, 'NovaVMPort')

    def test_ivs_ethernet_driver(self):
        d = vif.LibvirtGenericVIFDriver()
--- a/nova/virt/libvirt/vif.py
+++ b/nova/virt/libvirt/vif.py
@ -719,19 +719,12 @@ class LibvirtGenericVIFDriver(object):
        if (CONF.libvirt.virt_type == 'lxc'):
            ptype = 'NameSpacePort'

-        cmd_args = ("--oper=add --uuid=%s --instance_uuid=%s --vn_uuid=%s "
-                    "--vm_project_uuid=%s --ip_address=%s --ipv6_address=%s"
-                    " --vm_name=%s --mac=%s --tap_name=%s --port_type=%s "
-                    "--tx_vlan_id=%d --rx_vlan_id=%d" % (vif['id'],
-                    instance.uuid, vif['network']['id'],
-                    instance.project_id, ip_addr, ip6_addr,
-                    instance.display_name, vif['address'],
-                    vif['devname'], ptype, -1, -1))
        try:
            multiqueue = self._is_multiqueue_enabled(instance.image_meta,
                                                     instance.flavor)
            linux_net.create_tap_dev(dev, multiqueue=multiqueue)
-            utils.execute('vrouter-port-control', cmd_args, run_as_root=True)
+            nova.privsep.libvirt.plug_contrail_vif(
+                instance, vif, ip_addr, ip6_addr, ptype)
        except processutils.ProcessExecutionError:
            LOG.exception(_("Failed while plugging vif"), instance=instance)

@ -882,9 +875,8 @@ class LibvirtGenericVIFDriver(object):
        Unbind the vif from a Contrail virtual port.
        """
        dev = self.get_vif_devname(vif)
-        cmd_args = ("--oper=delete --uuid=%s" % (vif['id']))
        try:
-            utils.execute('vrouter-port-control', cmd_args, run_as_root=True)
+            nova.privsep.libvirt.unplug_contrail_vif(vif)
            linux_net.delete_net_dev(dev)
        except processutils.ProcessExecutionError:
            LOG.exception(_("Failed while unplugging vif"), instance=instance)
--- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml
+++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml
@ -13,4 +13,4 @@ upgrade:
    configuration: blkid; cat; chown; cryptsetup; dd; ebrctl; ifc_ctl; kpartx;
    losetup; lvcreate; lvremove; lvs; mkdir; mm-ctl; mount; nova-idmapshift;
    ploop; prl_disk_tool; qemu-nbd; readlink; shred; tee; touch; umount; vgs;
-    and xend.
+    vrouter-port-control; and xend.