diff options
author | Rodolfo Alonso Hernandez <ralonsoh@redhat.com> | 2021-02-04 17:30:28 +0000 |
---|---|---|
committer | Rodolfo Alonso Hernandez <ralonsoh@redhat.com> | 2021-02-19 08:47:17 +0000 |
commit | 5a419cbc84e26b4a3b1d0dbe5166c1ab83cc825b (patch) | |
tree | 1c78a6eaffff2ba5cb2dd7a30d05d8feb6acc21b | |
parent | 90309cf6e2f3ed5ae6d5f4cca3c5351c2ac67a13 (diff) | |
download | neutron-5a419cbc84e26b4a3b1d0dbe5166c1ab83cc825b.tar.gz |
Remove rootwrap execution (5)
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.
This patch migrates some missing execution methods present in
the code and removes unneeded rootwrap filters.
Story: #2007686
Task: #41558
Change-Id: I1542dc4cf98658fc9a40018192498c7a5cd1c3fe
-rw-r--r-- | etc/neutron/rootwrap.d/debug.filters | 7 | ||||
-rw-r--r-- | etc/neutron/rootwrap.d/iptables-firewall.filters | 15 | ||||
-rw-r--r-- | etc/neutron/rootwrap.d/l3.filters | 13 | ||||
-rw-r--r-- | etc/neutron/rootwrap.d/linuxbridge-plugin.filters | 7 | ||||
-rw-r--r-- | etc/neutron/rootwrap.d/openvswitch-plugin.filters | 3 | ||||
-rw-r--r-- | neutron/agent/linux/ip_conntrack.py | 2 | ||||
-rw-r--r-- | neutron/agent/linux/ip_lib.py | 2 | ||||
-rw-r--r-- | neutron/agent/linux/ipset_manager.py | 2 | ||||
-rw-r--r-- | neutron/agent/linux/iptables_firewall.py | 6 | ||||
-rw-r--r-- | neutron/tests/common/net_helpers.py | 10 | ||||
-rw-r--r-- | neutron/tests/functional/agent/linux/test_netlink_lib.py | 14 | ||||
-rw-r--r-- | neutron/tests/functional/agent/test_firewall.py | 2 | ||||
-rw-r--r-- | neutron/tests/unit/agent/linux/test_ip_lib.py | 6 | ||||
-rw-r--r-- | neutron/tests/unit/agent/linux/test_ipset_manager.py | 35 | ||||
-rw-r--r-- | neutron/tests/unit/agent/linux/test_iptables_firewall.py | 11 |
15 files changed, 46 insertions, 89 deletions
diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters index fc78f447dd..cfc3870648 100644 --- a/etc/neutron/rootwrap.d/debug.filters +++ b/etc/neutron/rootwrap.d/debug.filters @@ -8,13 +8,6 @@ [Filters] -# This is needed because we should ping -# from inside a namespace which requires root -# _alt variants allow to match -c and -w in any order -# (used by NeutronDebugAgent.ping_all) -ping: CommandFilter, ping, root -ping6: CommandFilter, ping6, root - # "sleep" command, only for testing sleep: RegExpFilter, sleep, root, sleep, \d+ kill_sleep: KillFilter, root, sleep, -9 diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters deleted file mode 100644 index bdb93fbdb9..0000000000 --- a/etc/neutron/rootwrap.d/iptables-firewall.filters +++ /dev/null @@ -1,15 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# neutron/agent/linux/iptables_firewall.py -sysctl: CommandFilter, sysctl, root - -# neutron/agent/linux/ip_conntrack.py -conntrack: CommandFilter, conntrack, root diff --git a/etc/neutron/rootwrap.d/l3.filters b/etc/neutron/rootwrap.d/l3.filters index 9b7826d4e0..c7eb2ab0f5 100644 --- a/etc/neutron/rootwrap.d/l3.filters +++ b/etc/neutron/rootwrap.d/l3.filters @@ -8,11 +8,7 @@ [Filters] -# arping -arping: CommandFilter, arping, root - # l3_agent -sysctl: CommandFilter, sysctl, root route: CommandFilter, route, root radvd: CommandFilter, radvd, root @@ -30,12 +26,6 @@ kill_radvd_script: CommandFilter, radvd-kill, root ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root -# l3_tc_lib -l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1 -l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32 -l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 -l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 - # For ip monitor kill_ip_monitor: KillFilter, root, ip, -9 @@ -51,9 +41,6 @@ kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9 # keepalived kill script filter kill_keepalived_script: CommandFilter, keepalived-kill, root -# l3 agent to delete floatingip's conntrack state -conntrack: CommandFilter, conntrack, root - # keepalived state change monitor keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root # The following filters are used to kill the keepalived state change monitor. diff --git a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters b/etc/neutron/rootwrap.d/linuxbridge-plugin.filters index 497d225d9a..2ed1db28d7 100644 --- a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters +++ b/etc/neutron/rootwrap.d/linuxbridge-plugin.filters @@ -8,13 +8,6 @@ [Filters] -# linuxbridge-agent -# unclear whether both variants are necessary, but I'm transliterating -# from the old mechanism -brctl: CommandFilter, brctl, root -bridge: CommandFilter, bridge, root -sysctl: CommandFilter, sysctl, root - # ip_lib ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/etc/neutron/rootwrap.d/openvswitch-plugin.filters index 4a25f9618b..85ae528254 100644 --- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters +++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters @@ -17,6 +17,3 @@ ovsdb-client: CommandFilter, ovsdb-client, root # ip_lib ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root - -# needed for FDB extension -bridge: CommandFilter, bridge, root diff --git a/neutron/agent/linux/ip_conntrack.py b/neutron/agent/linux/ip_conntrack.py index c3594b0ff1..d4c8dfff74 100644 --- a/neutron/agent/linux/ip_conntrack.py +++ b/neutron/agent/linux/ip_conntrack.py @@ -163,7 +163,7 @@ class IpConntrackManager(object): rule, remote_ip) for cmd in conntrack_cmds: try: - self.execute(list(cmd), run_as_root=True, + self.execute(list(cmd), run_as_root=True, privsep_exec=True, check_exit_code=True, extra_ok_codes=[1]) except RuntimeError: diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py index 28c191fc8f..e7544d18ad 100644 --- a/neutron/agent/linux/ip_lib.py +++ b/neutron/agent/linux/ip_lib.py @@ -135,7 +135,7 @@ class SubProcessBase(object): opt_list = ['-%s' % o for o in options] ip_cmd = add_namespace_to_cmd(['ip'], namespace) cmd = ip_cmd + opt_list + [command] + list(args) - return utils.execute(cmd, run_as_root=run_as_root, + return utils.execute(cmd, run_as_root=run_as_root, privsep_exec=True, log_fail_as_error=self.log_fail_as_error) def set_log_fail_as_error(self, fail_with_error): diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py index 49b236f48d..a2c9c91cb3 100644 --- a/neutron/agent/linux/ipset_manager.py +++ b/neutron/agent/linux/ipset_manager.py @@ -148,7 +148,7 @@ class IpsetManager(object): cmd_ns.extend(['ip', 'netns', 'exec', self.namespace]) cmd_ns.extend(cmd) self.execute(cmd_ns, run_as_root=True, process_input=input, - check_exit_code=fail_on_errors) + check_exit_code=fail_on_errors, privsep_exec=True) def _get_new_set_ips(self, set_name, expected_ips): new_member_ips = (set(expected_ips) - diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index bf6b918835..97b1139ba2 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -102,7 +102,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): log_warning = False if not a_utils.execute( ['sysctl', '-N', 'net.bridge'], run_as_root=True, - log_fail_as_error=False, check_exit_code=False): + log_fail_as_error=False, check_exit_code=False, + privsep_exec=True): LOG.warning('Kernel module br_netfilter is not loaded.') log_warning = True if not log_warning: @@ -110,7 +111,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): key = 'net.bridge.bridge-nf-call-%stables' % proto enabled = a_utils.execute( ['sysctl', '-b', key], run_as_root=True, - log_fail_as_error=False, check_exit_code=False) + log_fail_as_error=False, check_exit_code=False, + privsep_exec=True) if enabled == '1': status = 'enabled' log_method = LOG.debug diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py index 26b17addcb..2ac810b114 100644 --- a/neutron/tests/common/net_helpers.py +++ b/neutron/tests/common/net_helpers.py @@ -195,7 +195,8 @@ def _get_source_ports_from_ss_output(output): def get_unused_port(used, start=1024, end=None): if end is None: port_range = utils.execute( - ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True) + ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True, + privsep_exec=True) end = int(port_range.split()[0]) - 1 candidates = set(range(start, end + 1)) @@ -235,11 +236,12 @@ def get_free_namespace_port(protocol, namespace=None, start=1024, end=None): def set_local_port_range(start, end): utils.execute( ['sysctl', '-w', 'net.ipv4.ip_local_port_range=%d %d' % (start, end)], - run_as_root=True) - utils.execute(['sysctl', '-p'], run_as_root=True) + run_as_root=True, privsep_exec=True) + utils.execute(['sysctl', '-p'], run_as_root=True, privsep_exec=True) # verify port_range = utils.execute( - ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True) + ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True, + privsep_exec=True) assert int(port_range.split()[0]) == start assert int(port_range.split()[1]) == end diff --git a/neutron/tests/functional/agent/linux/test_netlink_lib.py b/neutron/tests/functional/agent/linux/test_netlink_lib.py index 654884e6a8..dd1963ea02 100644 --- a/neutron/tests/functional/agent/linux/test_netlink_lib.py +++ b/neutron/tests/functional/agent/linux/test_netlink_lib.py @@ -45,10 +45,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase): for cmd in conntrack_cmds: try: - linux_utils.execute(cmd, - run_as_root=True, - check_exit_code=True, - extra_ok_codes=[1]) + linux_utils.execute( + cmd, run_as_root=True, check_exit_code=True, + privsep_exec=True, extra_ok_codes=[1]) except RuntimeError: raise Exception('Error while creating entry') @@ -66,10 +65,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase): while start <= end: cmd = ['conntrack', '-L', '-w', start] try: - current_entries = linux_utils.execute(cmd, - run_as_root=True, - check_exit_code=True, - extra_ok_codes=[1]) + current_entries = linux_utils.execute( + cmd, run_as_root=True, check_exit_code=True, + privsep_exec=True, extra_ok_codes=[1]) except RuntimeError: raise Exception('Error while listing entries') if not current_entries: diff --git a/neutron/tests/functional/agent/test_firewall.py b/neutron/tests/functional/agent/test_firewall.py index 27a90cd41a..fa42a91024 100644 --- a/neutron/tests/functional/agent/test_firewall.py +++ b/neutron/tests/functional/agent/test_firewall.py @@ -621,7 +621,7 @@ class FirewallTestCase(BaseFirewallTestCase): # destination net unreachable self.tester._peer.execute([ 'sysctl', '-w', 'net.ipv4.conf.%s.forwarding=1' % - self.tester._peer.port.name]) + self.tester._peer.port.name], privsep_exec=True) self.tester.set_vm_default_gateway(self.tester.peer_ip_address) vm_sg_rules = [{'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp'}] diff --git a/neutron/tests/unit/agent/linux/test_ip_lib.py b/neutron/tests/unit/agent/linux/test_ip_lib.py index 8f130fff00..8b8b9a9303 100644 --- a/neutron/tests/unit/agent/linux/test_ip_lib.py +++ b/neutron/tests/unit/agent/linux/test_ip_lib.py @@ -112,6 +112,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', '-o', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) def test_execute_wrapper_int_options(self): @@ -120,6 +121,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', '-4', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_execute_wrapper_no_options(self): @@ -128,6 +130,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_run_no_namespace(self): @@ -135,6 +138,7 @@ class TestSubProcessBase(base.BaseTestCase): base._run([], 'link', ('list',)) self.execute.assert_called_once_with(['ip', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_run_namespace(self): @@ -143,6 +147,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns', 'ip', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) def test_as_root_namespace(self): @@ -151,6 +156,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns', 'ip', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py index 58200b68eb..88ad033725 100644 --- a/neutron/tests/unit/agent/linux/test_ipset_manager.py +++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py @@ -70,49 +70,42 @@ class BaseIpsetManagerTest(base.BaseTestCase): input = '\n'.join(temp_input) self.expected_calls.extend([ mock.call(['ipset', 'restore', '-exist'], - process_input=input, - run_as_root=True, - check_exit_code=True), + process_input=input, run_as_root=True, + check_exit_code=True, privsep_exec=True), mock.call(['ipset', 'swap', TEST_SET_NAME_NEW, TEST_SET_NAME], - process_input=None, - run_as_root=True, - check_exit_code=True), + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True), mock.call(['ipset', 'destroy', TEST_SET_NAME_NEW], - process_input=None, - run_as_root=True, - check_exit_code=False)]) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True)]) def expect_add(self, addresses): self.expected_calls.extend( mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], - process_input=None, - run_as_root=True, - check_exit_code=True) + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True) for ip in self.ipset._sanitize_addresses(addresses)) def expect_del(self, addresses): self.expected_calls.extend( mock.call(['ipset', 'del', TEST_SET_NAME, ip], - process_input=None, - run_as_root=True, - check_exit_code=False) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True) for ip in self.ipset._sanitize_addresses(addresses)) def expect_create(self): self.expected_calls.append( mock.call(['ipset', 'create', '-exist', TEST_SET_NAME, 'hash:net', 'family', 'inet'], - process_input=None, - run_as_root=True, - check_exit_code=True)) + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True)) def expect_destroy(self): self.expected_calls.append( mock.call(['ipset', 'destroy', TEST_SET_NAME], - process_input=None, - run_as_root=True, - check_exit_code=False)) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True)) def add_first_ip(self): self.expect_set([FAKE_IPS[0]]) diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 725b2bed08..91106238d3 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1418,8 +1418,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): cmd.extend(['-w', ct_zone]) calls = [ - mock.call(cmd, run_as_root=True, check_exit_code=True, - extra_ok_codes=[1])] + mock.call(cmd, run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])] self.utils_exec.assert_has_calls(calls) def test_remove_conntrack_entries_for_delete_rule_ipv4(self): @@ -1472,8 +1472,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): if ct_zone: cmd.extend(['-w', ct_zone]) expected_calls.append( - mock.call(cmd, run_as_root=True, check_exit_code=True, - extra_ok_codes=[1])) + mock.call(cmd, run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])) return expected_calls def _test_remove_conntrack_entries_for_port_sec_group_change(self, @@ -1578,7 +1578,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): conntrack_cmd.extend([remote_ip_direction, ips[ethertype][1]]) calls.append(mock.call(conntrack_cmd, - run_as_root=True, check_exit_code=True, + run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])) self.utils_exec.assert_has_calls(calls) |