Add missing filters for new root commands

Add missing rootwrap filters for 'ovs-ofctl', 'cp' and 'mkfs'.
Do not run 'rm' as root since it's unnecessary.
Add documentation to try to prevent future misses.
Fixes bug 943293.

Change-Id: Ia680048a28a75f661a136d8447ff0aaf195649ba

nova/rootwrap/compute.py

@@ -73,6 +73,9 @@ filterlist = [
     # nova/virt/disk/api.py: 'chmod', 755, netdir
     filters.CommandFilter("/bin/chmod", "root"),
 
+    # nova/virt/disk/api.py: 'cp', os.path.join(fs...
+    filters.CommandFilter("/bin/cp", "root"),
+
     # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
     # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
     # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
@@ -102,6 +105,9 @@ filterlist = [
     # nova/network/linux_net.py: 'ovs-vsctl', ....
     filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
 
+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
+
     # nova/virt/libvirt/connection.py: 'dd', "if=%s" % virsh_output, ...
     filters.CommandFilter("/bin/dd", "root"),
 
@@ -169,6 +175,9 @@ filterlist = [
     # nova/virt/xenapi/vm_utils.py: 'mkswap'
     filters.CommandFilter("/sbin/mkswap", "root"),
 
+    # nova/virt/xenapi/vm_utils.py: 'mkfs'
+    filters.CommandFilter("/sbin/mkfs", "root"),
+
     # nova/virt/libvirt/connection.py:
     filters.ReadFileFilter("/etc/iscsi/initiatorname.iscsi"),
     ]

nova/rootwrap/network.py

@@ -83,4 +83,7 @@ filterlist = [
 
     # nova/network/linux_net.py: 'ovs-vsctl', ....
     filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
+
+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
     ]