diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 040d2a0e7916..ca540fb2724f 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -188,8 +188,5 @@ cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root -# nova/virt/libvirt/utils.py: 'xend', 'status' -xend: CommandFilter, xend, root - # nova/virt/libvirt/volume/vzstorage.py pstorage-mount: CommandFilter, pstorage-mount, root diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index f8c2ae3965f1..ed83b5de2b6b 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -210,3 +210,8 @@ def readpty(path): LOG.info(_('Ignored error while reading from instance console ' 'pty: %s'), e) return '' + + +@nova.privsep.sys_admin_pctxt.entrypoint +def xend_probe(): + processutils.execute('xend', 'status', check_exit_code=True) diff --git a/nova/tests/unit/virt/libvirt/test_utils.py b/nova/tests/unit/virt/libvirt/test_utils.py index 2cd9d9ac89ca..6005f560d36f 100644 --- a/nova/tests/unit/virt/libvirt/test_utils.py +++ b/nova/tests/unit/virt/libvirt/test_utils.py @@ -403,10 +403,11 @@ ID TAG VM SIZE DATE VM CLOCK is_block_dev) self.assertEqual(result, expected_result) + @mock.patch('nova.privsep.libvirt.xend_probe') @mock.patch('nova.utils.execute') - def test_pick_disk_driver_name_xen(self, mock_execute): + def test_pick_disk_driver_name_xen(self, mock_execute, mock_xend_probe): - def side_effect(*args, **kwargs): + def execute_side_effect(*args, **kwargs): if args == ('tap-ctl', 'check'): if mock_execute.blktap is True: return ('ok\n', '') @@ -414,15 +415,17 @@ ID TAG VM SIZE DATE VM CLOCK return ('some error\n', '') else: raise OSError(2, "No such file or directory") - elif args == ('xend', 'status'): - if mock_execute.xend is True: - return ('', '') - elif mock_execute.xend is False: - raise processutils.ProcessExecutionError("error") - else: - raise OSError(2, "No such file or directory") raise Exception('Unexpected call') - mock_execute.side_effect = side_effect + mock_execute.side_effect = execute_side_effect + + def xend_probe_side_effect(): + if mock_execute.xend is True: + return ('', '') + elif mock_execute.xend is False: + raise processutils.ProcessExecutionError("error") + else: + raise OSError(2, "No such file or directory") + mock_xend_probe.side_effect = xend_probe_side_effect self.flags(virt_type="xen", group='libvirt') versions = [4000000, 4001000, 4002000, 4003000, 4005000] diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py index 19373d5c834c..b0571e8b3335 100644 --- a/nova/virt/libvirt/utils.py +++ b/nova/virt/libvirt/utils.py @@ -129,8 +129,7 @@ def pick_disk_driver_name(hypervisor_version, is_block_dev=False): # 4002000 == 4.2.0 if hypervisor_version >= 4002000: try: - utils.execute('xend', 'status', - run_as_root=True, check_exit_code=True) + nova.privsep.libvirt.xend_probe() except OSError as exc: if exc.errno == errno.ENOENT: LOG.debug("xend is not found") diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml index 0579b11acd62..a0fa43f19705 100644 --- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml +++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml @@ -8,4 +8,5 @@ upgrade: - | The following commands are no longer required to be listed in your rootwrap configuration: cat; chown; cryptsetup; dd; lvcreate; lvremove; lvs; mkdir; - mount; ploop; prl_disk_tool; readlink; shred; tee; touch; umount; and vgs. + mount; ploop; prl_disk_tool; readlink; shred; tee; touch; umount; vgs; + and xend.