Squash dacnet_admin privsep context.

As discussed at the PTG, we're going to use one big context for
ease of management.

Change-Id: I951abd402736735730e0868f31b85b1817055b2f
blueprint: hurrah-for-privsep

etc/nova/rootwrap.d/compute.filters

@@ -198,8 +198,6 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root
 # and (implicitly) the actual python code invoked.
 privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
 
-privsep-rootwrap-dacnet_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dacnet_admin_pctxt, --privsep_sock_path, /tmp/.*
-
 privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
 
 # nova/virt/libvirt/storage/dmcrypt.py:

nova/privsep/__init__.py

@@ -18,18 +18,6 @@
 from oslo_privsep import capabilities
 from oslo_privsep import priv_context
 
-# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes
-dacnet_admin_pctxt = priv_context.PrivContext(
-    'nova',
-    cfg_section='nova_dacnet_admin',
-    pypath=__name__ + '.dacnet_admin_pctxt',
-    capabilities=[capabilities.CAP_CHOWN,
-                  capabilities.CAP_DAC_OVERRIDE,
-                  capabilities.CAP_DAC_READ_SEARCH,
-                  capabilities.CAP_FOWNER,
-                  capabilities.CAP_NET_ADMIN],
-)
-
 sys_admin_pctxt = priv_context.PrivContext(
     'nova',
     cfg_section='nova_sys_admin',

nova/privsep/libvirt.py

@@ -56,14 +56,14 @@ def _last_bytes_inner(file_like_object, num):
     return (file_like_object.read(), remaining)
 
 
-@nova.privsep.dacnet_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def enable_hairpin(interface):
     """Enable hairpin mode for a libvirt guest."""
     with open('/sys/class/net/%s/brport/hairpin_mode' % interface, 'w') as f:
         f.write('1')
 
 
-@nova.privsep.dacnet_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def disable_multicast_snooping(interface):
     """Disable multicast snooping for a bridge."""
     with open('/sys/class/net/%s/bridge/multicast_snooping' % interface,
@@ -71,7 +71,7 @@ def disable_multicast_snooping(interface):
         f.write('0')
 
 
-@nova.privsep.dacnet_admin_pctxt.entrypoint
+@nova.privsep.sys_admin_pctxt.entrypoint
 def disable_ipv6(interface):
     """Disable ipv6 for a bridge."""
     with open('/proc/sys/net/ipv6/conf/%s/disable_ipv' % interface, 'w') as f:

releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml

@@ -3,9 +3,6 @@ upgrade:
   - |
     A sys-admin privsep daemon has been added and needs to be included in your
     rootwrap configuration.
-  - |
-    A dacnet-admin privsep daemon has been added and needs to be included in
-    your rootwrap configuration.
   - |
     The following commands are no longer required to be listed in your rootwrap
     configuration: cat; chown; readlink; tee; touch.