Merge "Always run dnsmasq as root"

6 files changed, 17 insertions, 11 deletions

diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py
index 0e30f70461..55509cb84b 100644
--- a/neutron/agent/linux/dhcp.py
+++ b/neutron/agent/linux/dhcp.py
@@ -208,7 +208,8 @@ class DhcpLocalProcess(DhcpBase):
             uuid=self.network.id,
             namespace=self.network.namespace,
             default_cmd_callback=cmd_callback,
-            pid_file=self.get_conf_file_name('pid'))
+            pid_file=self.get_conf_file_name('pid'),
+            run_as_root=True)
 
     def disable(self, retain_port=False):
         """Disable DHCP for this network by killing the local process."""
@@ -402,7 +403,7 @@ class Dnsmasq(DhcpLocalProcess):
         """Release a DHCP lease."""
         cmd = ['dhcp_release', self.interface_name, ip, mac_address]
         ip_wrapper = ip_lib.IPWrapper(namespace=self.network.namespace)
-        ip_wrapper.netns.execute(cmd)
+        ip_wrapper.netns.execute(cmd, run_as_root=True)
 
     def _output_config_files(self):
         self._output_hosts_file()
diff --git a/neutron/agent/linux/external_process.py b/neutron/agent/linux/external_process.py
index 0dff4efa88..f3ac93a7f0 100644
--- a/neutron/agent/linux/external_process.py
+++ b/neutron/agent/linux/external_process.py
@@ -60,7 +60,7 @@ class ProcessManager(MonitoredProcess):
     """
     def __init__(self, conf, uuid, namespace=None, service=None,
                  pids_path=None, default_cmd_callback=None,
-                 cmd_addl_env=None, pid_file=None):
+                 cmd_addl_env=None, pid_file=None, run_as_root=False):
 
         self.conf = conf
         self.uuid = uuid
@@ -69,6 +69,7 @@ class ProcessManager(MonitoredProcess):
         self.cmd_addl_env = cmd_addl_env
         self.pids_path = pids_path or self.conf.external_pids
         self.pid_file = pid_file
+        self.run_as_root = run_as_root
 
         if service:
             self.service_pid_fname = 'pid.' + service
@@ -86,7 +87,8 @@ class ProcessManager(MonitoredProcess):
             cmd = cmd_callback(self.get_pid_file_name())
 
             ip_wrapper = ip_lib.IPWrapper(namespace=self.namespace)
-            ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env)
+            ip_wrapper.netns.execute(cmd, addl_env=self.cmd_addl_env,
+                                     run_as_root=self.run_as_root)
         elif reload_cfg:
             self.reload_cfg()
 
diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py
index 330ea3dd65..1da4eb7c49 100644
--- a/neutron/agent/linux/ip_lib.py
+++ b/neutron/agent/linux/ip_lib.py
@@ -559,9 +559,9 @@ class IpNetnsCommand(IpCommandBase):
         self._as_root([], ('delete', name), use_root_namespace=True)
 
     def execute(self, cmds, addl_env=None, check_exit_code=True,
-                extra_ok_codes=None):
+                extra_ok_codes=None, run_as_root=False):
         ns_params = []
-        kwargs = {}
+        kwargs = {'run_as_root': run_as_root}
         if self._parent.namespace:
             kwargs['run_as_root'] = True
             ns_params = ['ip', 'netns', 'exec', self._parent.namespace]
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 10cbc6d678..864c1e9a94 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -125,7 +125,8 @@ class TestMetadataDriverProcess(base.BaseTestCase):
                     '--metadata_proxy_watch_log=false')
             ip_mock.assert_has_calls([
                 mock.call(namespace=router_ns),
-                mock.call().netns.execute(netns_execute_args, addl_env=None)
+                mock.call().netns.execute(netns_execute_args, addl_env=None,
+                                          run_as_root=False)
             ])
 
     def test_spawn_metadata_proxy_with_agent_user(self):
diff --git a/neutron/tests/unit/test_linux_external_process.py b/neutron/tests/unit/test_linux_external_process.py
index c2dd542207..99cd7d8f2f 100644
--- a/neutron/tests/unit/test_linux_external_process.py
+++ b/neutron/tests/unit/test_linux_external_process.py
@@ -52,7 +52,8 @@ class TestProcessManager(base.BaseTestCase):
                 callback.assert_called_once_with('pidfile')
                 self.execute.assert_called_once_with(['the', 'cmd'],
                                                      check_exit_code=True,
-                                                     extra_ok_codes=None)
+                                                     extra_ok_codes=None,
+                                                     run_as_root=False)
 
     def test_enable_with_namespace(self):
         callback = mock.Mock()
@@ -69,8 +70,8 @@ class TestProcessManager(base.BaseTestCase):
                     callback.assert_called_once_with('pidfile')
                     ip_lib.assert_has_calls([
                         mock.call.IPWrapper(namespace='ns'),
-                        mock.call.IPWrapper().netns.execute(['the', 'cmd'],
-                                                            addl_env=None)])
+                        mock.call.IPWrapper().netns.execute(
+                            ['the', 'cmd'], addl_env=None, run_as_root=False)])
 
     def test_enable_with_namespace_process_active(self):
         callback = mock.Mock()
diff --git a/neutron/tests/unit/test_linux_ip_lib.py b/neutron/tests/unit/test_linux_ip_lib.py
index 0ef1b88f7f..80202ac833 100644
--- a/neutron/tests/unit/test_linux_ip_lib.py
+++ b/neutron/tests/unit/test_linux_ip_lib.py
@@ -927,7 +927,8 @@ class TestIpNetnsCommand(TestIPCmdBase):
             self.netns_cmd.execute(['test'])
             execute.assert_called_once_with(['test'],
                                             check_exit_code=True,
-                                            extra_ok_codes=None)
+                                            extra_ok_codes=None,
+                                            run_as_root=False)
 
 
 class TestDeviceExists(base.BaseTestCase):