diff options
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 3 | ||||
| -rw-r--r-- | nova/privsep/libvirt.py | 19 | ||||
| -rw-r--r-- | nova/tests/unit/virt/libvirt/test_vif.py | 59 | ||||
| -rw-r--r-- | nova/virt/libvirt/vif.py | 14 | ||||
| -rw-r--r-- | releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml | 2 |
5 files changed, 41 insertions, 56 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 3cf5318055..3405374b8b 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -46,9 +46,6 @@ ovs-vsctl: CommandFilter, ovs-vsctl, root # nova/network/linux_net.py: 'ivs-ctl', .... ivs-ctl: CommandFilter, ivs-ctl, root -# nova/virt/libvirt/vif.py: 'vrouter-port-control', ... -vrouter-port-control: CommandFilter, vrouter-port-control, root - # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 2eba2c6818..05bd124518 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -256,6 +256,25 @@ def unplug_plumgrid_vif(dev): @nova.privsep.sys_admin_pctxt.entrypoint +def plug_contrail_vif(instance, vif, ip_addr, ip6_addr, ptype): + cmd_args = ('--oper=add --uuid=%s --instance_uuid=%s --vn_uuid=%s ' + '--vm_project_uuid=%s --ip_address=%s --ipv6_address=%s' + ' --vm_name=%s --mac=%s --tap_name=%s --port_type=%s ' + '--tx_vlan_id=%d --rx_vlan_id=%d' + % (vif['id'], instance.uuid, vif['network']['id'], + instance.project_id, ip_addr, ip6_addr, + instance.display_name, vif['address'], + vif['devname'], ptype, -1, -1)) + processutils.execute('vrouter-port-control', cmd_args) + + +@nova.privsep.sys_admin_pctxt.entrypoint +def unplug_contrail_vif(vif): + cmd_args = ('--oper=delete --uuid=%s' % (vif['id'])) + processutils.execute('vrouter-port-control', cmd_args) + + +@nova.privsep.sys_admin_pctxt.entrypoint def disable_multicast_snooping(interface): """Disable multicast snooping for a bridge.""" with open('/sys/class/net/%s/bridge/multicast_snooping' % interface, diff --git a/nova/tests/unit/virt/libvirt/test_vif.py b/nova/tests/unit/virt/libvirt/test_vif.py index 78fafc751d..5187af0b73 100644 --- a/nova/tests/unit/virt/libvirt/test_vif.py +++ b/nova/tests/unit/virt/libvirt/test_vif.py @@ -1039,16 +1039,14 @@ class LibvirtVifTestCase(test.NoDBTestCase): self.vif_iovisor['network']['id'], self.instance.project_id)]) - def test_unplug_vrouter_with_details(self): + @mock.patch('nova.privsep.libvirt.unplug_contrail_vif') + def test_unplug_vrouter_with_details(self, mock_unplug_contrail): d = vif.LibvirtGenericVIFDriver() - with mock.patch.object(utils, 'execute') as execute: - d.unplug(self.instance, self.vif_vrouter) - execute.assert_called_once_with( - 'vrouter-port-control', - '--oper=delete --uuid=vif-xxx-yyy-zzz', - run_as_root=True) + d.unplug(self.instance, self.vif_vrouter) + mock_unplug_contrail.assert_called_once_with(self.vif_vrouter) - def test_plug_vrouter_with_details(self): + @mock.patch('nova.privsep.libvirt.plug_contrail_vif') + def test_plug_vrouter_with_details(self, mock_plug_contrail): d = vif.LibvirtGenericVIFDriver() instance = mock.Mock() instance.name = 'instance-name' @@ -1062,23 +1060,14 @@ class LibvirtVifTestCase(test.NoDBTestCase): mock.call('ip', 'tuntap', 'add', 'tap-xxx-yyy-zzz', 'mode', 'tap', run_as_root=True, check_exit_code=[0, 2, 254]), mock.call('ip', 'link', 'set', 'tap-xxx-yyy-zzz', 'up', - run_as_root=True, check_exit_code=[0, 2, 254]), - mock.call('vrouter-port-control', - '--oper=add --uuid=vif-xxx-yyy-zzz ' - '--instance_uuid=46a4308b-e75a-4f90-a34a-650c86ca18b2 ' - '--vn_uuid=network-id-xxx-yyy-zzz ' - '--vm_project_uuid=b168ea26fa0c49c1a84e1566d9565fa5 ' - '--ip_address=0.0.0.0 ' - '--ipv6_address=None ' - '--vm_name=instance1 ' - '--mac=ca:fe:de:ad:be:ef ' - '--tap_name=tap-xxx-yyy-zzz ' - '--port_type=NovaVMPort ' - '--tx_vlan_id=-1 ' - '--rx_vlan_id=-1', run_as_root=True)]) + run_as_root=True, check_exit_code=[0, 2, 254])]) + mock_plug_contrail.called_once_with( + instance, self.vif_vrouter, '0.0.0.0', None, 'NovaVMPort') @mock.patch('nova.network.linux_net.create_tap_dev') - def test_plug_vrouter_with_details_multiqueue(self, mock_create_tap_dev): + @mock.patch('nova.privsep.libvirt.plug_contrail_vif') + def test_plug_vrouter_with_details_multiqueue( + self, mock_plug_contrail, mock_create_tap_dev): d = vif.LibvirtGenericVIFDriver() instance = mock.Mock() instance.name = 'instance-name' @@ -1088,24 +1077,12 @@ class LibvirtVifTestCase(test.NoDBTestCase): instance.image_meta = objects.ImageMeta.from_dict({ 'properties': {'hw_vif_multiqueue_enabled': True}}) instance.flavor.vcpus = 2 - with mock.patch.object(utils, 'execute') as execute: - d.plug(instance, self.vif_vrouter) - mock_create_tap_dev.assert_called_once_with('tap-xxx-yyy-zzz', - multiqueue=True) - execute.assert_called_once_with( - 'vrouter-port-control', - '--oper=add --uuid=vif-xxx-yyy-zzz ' - '--instance_uuid=46a4308b-e75a-4f90-a34a-650c86ca18b2 ' - '--vn_uuid=network-id-xxx-yyy-zzz ' - '--vm_project_uuid=b168ea26fa0c49c1a84e1566d9565fa5 ' - '--ip_address=0.0.0.0 ' - '--ipv6_address=None ' - '--vm_name=instance1 ' - '--mac=ca:fe:de:ad:be:ef ' - '--tap_name=tap-xxx-yyy-zzz ' - '--port_type=NovaVMPort ' - '--tx_vlan_id=-1 ' - '--rx_vlan_id=-1', run_as_root=True) + d.plug(instance, self.vif_vrouter) + mock_create_tap_dev.assert_called_once_with('tap-xxx-yyy-zzz', + multiqueue=True) + + mock_plug_contrail.assert_called_once_with( + instance, self.vif_vrouter, '0.0.0.0', None, 'NovaVMPort') def test_ivs_ethernet_driver(self): d = vif.LibvirtGenericVIFDriver() diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py index 03f03d2387..b0a75bd11b 100644 --- a/nova/virt/libvirt/vif.py +++ b/nova/virt/libvirt/vif.py @@ -719,19 +719,12 @@ class LibvirtGenericVIFDriver(object): if (CONF.libvirt.virt_type == 'lxc'): ptype = 'NameSpacePort' - cmd_args = ("--oper=add --uuid=%s --instance_uuid=%s --vn_uuid=%s " - "--vm_project_uuid=%s --ip_address=%s --ipv6_address=%s" - " --vm_name=%s --mac=%s --tap_name=%s --port_type=%s " - "--tx_vlan_id=%d --rx_vlan_id=%d" % (vif['id'], - instance.uuid, vif['network']['id'], - instance.project_id, ip_addr, ip6_addr, - instance.display_name, vif['address'], - vif['devname'], ptype, -1, -1)) try: multiqueue = self._is_multiqueue_enabled(instance.image_meta, instance.flavor) linux_net.create_tap_dev(dev, multiqueue=multiqueue) - utils.execute('vrouter-port-control', cmd_args, run_as_root=True) + nova.privsep.libvirt.plug_contrail_vif( + instance, vif, ip_addr, ip6_addr, ptype) except processutils.ProcessExecutionError: LOG.exception(_("Failed while plugging vif"), instance=instance) @@ -882,9 +875,8 @@ class LibvirtGenericVIFDriver(object): Unbind the vif from a Contrail virtual port. """ dev = self.get_vif_devname(vif) - cmd_args = ("--oper=delete --uuid=%s" % (vif['id'])) try: - utils.execute('vrouter-port-control', cmd_args, run_as_root=True) + nova.privsep.libvirt.unplug_contrail_vif(vif) linux_net.delete_net_dev(dev) except processutils.ProcessExecutionError: LOG.exception(_("Failed while unplugging vif"), instance=instance) diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml index dd4938bd25..2ed2f70b03 100644 --- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml +++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml @@ -13,4 +13,4 @@ upgrade: configuration: blkid; cat; chown; cryptsetup; dd; ebrctl; ifc_ctl; kpartx; losetup; lvcreate; lvremove; lvs; mkdir; mm-ctl; mount; nova-idmapshift; ploop; prl_disk_tool; qemu-nbd; readlink; shred; tee; touch; umount; vgs; - and xend. + vrouter-port-control; and xend. |