Remove "ovs-vsctl" support from rootwrap

This command is executed from scripts and in sanity checks, but not
from any Neutron service.

Change-Id: If82e89bf7b233559513ab44eadebb445648f0684
Story: #2007686
Task: #41282

8 files changed, 58 insertions, 10 deletions

diff --git a/etc/neutron/rootwrap.d/dhcp.filters b/etc/neutron/rootwrap.d/dhcp.filters
index 0ed1e13e41..d2005fcc1e 100644
--- a/etc/neutron/rootwrap.d/dhcp.filters
+++ b/etc/neutron/rootwrap.d/dhcp.filters
@@ -18,7 +18,6 @@ kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
 # dnsmasq kill script filter
 kill_dnsmasq_script: CommandFilter, dnsmasq-kill, root
 
-ovs-vsctl: CommandFilter, ovs-vsctl, root
 mm-ctl: CommandFilter, mm-ctl, root
 
 # haproxy
diff --git a/etc/neutron/rootwrap.d/l3.filters b/etc/neutron/rootwrap.d/l3.filters
index 6b311e4381..ceb66ffbc9 100644
--- a/etc/neutron/rootwrap.d/l3.filters
+++ b/etc/neutron/rootwrap.d/l3.filters
@@ -40,9 +40,6 @@ l3_tc_add_filter_egress:  RegExpFilter, tc, root, tc, filter, add, dev, .+, pare
 # For ip monitor
 kill_ip_monitor: KillFilter, root, ip, -9
 
-# ovs_lib (if OVSInterfaceDriver is used)
-ovs-vsctl: CommandFilter, ovs-vsctl, root
-
 # iptables_manager
 iptables-save: CommandFilter, iptables-save, root
 iptables-restore: CommandFilter, iptables-restore, root
diff --git a/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/etc/neutron/rootwrap.d/openvswitch-plugin.filters
index e5290243be..69421b0c1d 100644
--- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters
+++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters
@@ -9,9 +9,6 @@
 [Filters]
 
 # openvswitch-agent
-# unclear whether both variants are necessary, but I'm transliterating
-# from the old mechanism
-ovs-vsctl: CommandFilter, ovs-vsctl, root
 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
diff --git a/neutron/agent/ovsdb/native/helpers.py b/neutron/agent/ovsdb/native/helpers.py
index a59b6b38ff..4a7c28f2d0 100644
--- a/neutron/agent/ovsdb/native/helpers.py
+++ b/neutron/agent/ovsdb/native/helpers.py
@@ -15,18 +15,17 @@
 import functools
 
 from oslo_config import cfg
-from ovsdbapp.schema.open_vswitch import helpers
 
-from neutron.agent.common import utils
 from neutron.conf.agent import ovs_conf as agent_ovs_conf
 from neutron.conf.plugins.ml2.drivers import ovs_conf as ml2_ovs_conf
+from neutron.privileged.agent.ovsdb.native import helpers as priv_helpers
 
 
 agent_ovs_conf.register_ovs_agent_opts(cfg.CONF)
 ml2_ovs_conf.register_ovs_opts(cfg=cfg.CONF)
 
 enable_connection_uri = functools.partial(
-    helpers.enable_connection_uri, execute=utils.execute, run_as_root=True,
+    priv_helpers.enable_connection_uri,
     log_fail_as_error=False, check_exit_code=False,
     timeout=cfg.CONF.OVS.ovsdb_timeout,
     inactivity_probe=cfg.CONF.OVS.of_inactivity_probe * 1000)
diff --git a/neutron/privileged/__init__.py b/neutron/privileged/__init__.py
index 33d60bccf0..f4fc471ede 100644
--- a/neutron/privileged/__init__.py
+++ b/neutron/privileged/__init__.py
@@ -37,3 +37,12 @@ dhcp_release_cmd = priv_context.PrivContext(
     capabilities=[caps.CAP_SYS_ADMIN,
                   caps.CAP_NET_ADMIN]
 )
+
+
+ovs_vsctl_cmd = priv_context.PrivContext(
+    __name__,
+    cfg_section='privsep_ovs_vsctl',
+    pypath=__name__ + '.ovs_vsctl_cmd',
+    capabilities=[caps.CAP_SYS_ADMIN,
+                  caps.CAP_NET_ADMIN]
+)
diff --git a/neutron/privileged/agent/ovsdb/__init__.py b/neutron/privileged/agent/ovsdb/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/neutron/privileged/agent/ovsdb/__init__.py
diff --git a/neutron/privileged/agent/ovsdb/native/__init__.py b/neutron/privileged/agent/ovsdb/native/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/neutron/privileged/agent/ovsdb/native/__init__.py
diff --git a/neutron/privileged/agent/ovsdb/native/helpers.py b/neutron/privileged/agent/ovsdb/native/helpers.py
new file mode 100644
index 0000000000..bd76e752f4
--- /dev/null
+++ b/neutron/privileged/agent/ovsdb/native/helpers.py
@@ -0,0 +1,47 @@
+# Copyright (c) 2020 Red Hat, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_concurrency import processutils
+
+from neutron import privileged
+
+
+def _connection_to_manager_uri(conn_uri):
+    proto, addr = conn_uri.split(':', 1)
+    if ':' in addr:
+        ip, port = addr.split(':', 1)
+        return 'p%s:%s:%s' % (proto, port, ip)
+    return 'p%s:%s' % (proto, addr)
+
+
+@privileged.ovs_vsctl_cmd.entrypoint
+def enable_connection_uri(conn_uri, log_fail_as_error=False,
+                          check_exit_code=False, **kwargs):
+    timeout = kwargs.pop('timeout', 5)
+    # NOTE(ralonsoh): this method has been transcripted from ovsdbapp library:
+    # https://github.com/openstack/ovsdbapp/blob/stable/victoria/ovsdbapp/
+    #   schema/open_vswitch/helpers.py
+    # NOTE(ralonsoh): the command timeout , "timeout", is defined in seconds;
+    # the probe timeout is defined in milliseconds. If "timeout" is used, must
+    # be converted to ms.
+    probe = (timeout * 1000 if kwargs.pop('set_timeout', None) else
+             kwargs.pop('inactivity_probe', None))
+    man_uri = _connection_to_manager_uri(conn_uri)
+    cmd = ['ovs-vsctl', '--timeout=%d' % timeout, '--id=@manager',
+           '--', 'create', 'Manager', 'target="%s"' % man_uri,
+           '--', 'add', 'Open_vSwitch', '.', 'manager_options', '@manager']
+    if probe is not None:
+        cmd += ['--', 'set', 'Manager', man_uri, 'inactivity_probe=%s' % probe]
+    return processutils.execute(*cmd, log_errors=log_fail_as_error,
+                                check_exit_code=check_exit_code)