diff options
| author | Michael Still <mikal@stillhq.com> | 2017-10-25 15:20:13 +1100 |
|---|---|---|
| committer | Michael Still <mikal@stillhq.com> | 2017-11-02 12:09:27 +1100 |
| commit | 0c961741e03a0e08f7c39f508afcc9267be0ee7f (patch) | |
| tree | 39c1938aadf35c8daca0d9dfabaaba9a58cea37c | |
| parent | 30c2cfffab9b2f3289bbad8334a6bca1b88a745a (diff) | |
| download | nova-0c961741e03a0e08f7c39f508afcc9267be0ee7f.tar.gz | |
Move infiniband vif plugging to privsep.
This code isn't well labelled, but I am pretty sure it is for
Mellanox Infifiband VIFs. Same pattern as the others.
As best as I can see these methods had no test coverage, but I think
that's outside the scope of the current privsep work to fix.
Change-Id: I323399643c9978a115fdc1213876da2d85dcd8db
blueprint: hurrah-for-privsep
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 3 | ||||
| -rw-r--r-- | nova/privsep/libvirt.py | 11 | ||||
| -rw-r--r-- | nova/virt/libvirt/vif.py | 9 | ||||
| -rw-r--r-- | releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml | 2 |
4 files changed, 16 insertions, 9 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index a2fc4754fa..4ccb68f4db 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -49,9 +49,6 @@ ivs-ctl: CommandFilter, ivs-ctl, root # nova/virt/libvirt/vif.py: 'vrouter-port-control', ... vrouter-port-control: CommandFilter, vrouter-port-control, root -# nova/virt/libvirt/vif.py: 'ebrctl', ... -ebrctl: CommandFilter, ebrctl, root - # nova/virt/libvirt/vif.py: 'mm-ctl', ... mm-ctl: CommandFilter, mm-ctl, root diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 244fd0d8ec..9c71a1c129 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -221,6 +221,17 @@ def bridge_delete_interface(bridge, removeif): @nova.privsep.sys_admin_pctxt.entrypoint +def plug_infiniband_vif(vnic_mac, device_id, fabric, net_model, pci_slot): + processutils.execute('ebrctl', 'add-port', vnic_mac, device_id, + fabric, net_model, pci_slot) + + +@nova.privsep.sys_admin_pctxt.entrypoint +def unplug_infiniband_vif(fabric, vnic_mac): + processutils.execute('ebrctl', 'del-port', fabric, vnic_mac) + + +@nova.privsep.sys_admin_pctxt.entrypoint def disable_multicast_snooping(interface): """Disable multicast snooping for a bridge.""" with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py index a561611acb..fa08ca8c2e 100644 --- a/nova/virt/libvirt/vif.py +++ b/nova/virt/libvirt/vif.py @@ -616,9 +616,9 @@ class LibvirtGenericVIFDriver(object): device_id = instance['uuid'] vnic_mac = vif['address'] try: - utils.execute('ebrctl', 'add-port', vnic_mac, device_id, - fabric, network_model.VIF_TYPE_IB_HOSTDEV, - pci_slot, run_as_root=True) + nova.privsep.libvirt.plug_infiniband_vif( + vnic_mac, device_id, fabric, + network_model.VIF_TYPE_IB_HOSTDEV, pci_slot) except processutils.ProcessExecutionError: LOG.exception(_("Failed while plugging ib hostdev vif"), instance=instance) @@ -818,8 +818,7 @@ class LibvirtGenericVIFDriver(object): ) vnic_mac = vif['address'] try: - utils.execute('ebrctl', 'del-port', fabric, vnic_mac, - run_as_root=True) + nova.privsep.libvirt.unplug_infiniband_vif(fabric, vnic_mac) except Exception: LOG.exception(_("Failed while unplugging ib hostdev vif")) diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml index 49db6d4736..8b9ee8fd05 100644 --- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml +++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml @@ -10,7 +10,7 @@ upgrade: internal functionality using privsep. - | The following commands are no longer required to be listed in your rootwrap - configuration: blkid; cat; chown; cryptsetup; dd; kpartx; losetup; + configuration: blkid; cat; chown; cryptsetup; dd; ebrctl; kpartx; losetup; lvcreate; lvremove; lvs; mkdir; mount; nova-idmapshift; ploop; prl_disk_tool; qemu-nbd; readlink; shred; tee; touch; umount; vgs; and xend. |