Astara oslo.rootwrap

Use oslo.rootwrap to replace the default root_helper sudo. Add network filer for ip, ovs-vsctl, ovs-ofctl command. Change-Id: I13d42b32b6589069a73d33eb67eed117cd519a5b Implements: blueprint astara-rootwrap
2016-01-07 21:00:31 +08:00 · 2016-01-07 21:00:31 +08:00 · 087132fac6
parent 7a69eb0f7e
commit 087132fac6
9 changed files with 78 additions and 12 deletions
--- a/astara/common/linux/interface.py
+++ b/astara/common/linux/interface.py
@ -62,9 +62,9 @@ OPTS = [
 CONF.register_opts(OPTS)


-# NOTE(adam_g): These need a better home
 AGENT_OPTIONS = [
-    cfg.StrOpt('root_helper', default='sudo'),
+    cfg.StrOpt('root_helper',
+               default='sudo astara-rootwrap /etc/astara/rootwrap.conf'),
 ]
 CONF.register_group(cfg.OptGroup(name='AGENT'))
 CONF.register_opts(AGENT_OPTIONS, 'AGENT')
--- a/astara/test/unit/common/test_linux_interface.py
+++ b/astara/test/unit/common/test_linux_interface.py
@ -75,7 +75,10 @@ class FakePort:
 class TestBase(unittest.TestCase):
    def setUp(self):
        root_helper_opt = [
-            cfg.StrOpt('root_helper', default='sudo'),
+            cfg.StrOpt(
+                'root_helper',
+                default='sudo astara-rootwrap /etc/astara/rootwrap.conf'
+            ),
        ]
        self.conf = cfg.CONF
        self.conf.register_opts(root_helper_opt)
@ -114,7 +117,7 @@ class TestABCDriver(TestBase):
        ns = '12345678-1234-5678-90ab-ba0987654321'
        bc.init_l3('tap0', ['192.168.1.2/24'], namespace=ns)
        self.ip_dev.assert_has_calls(
-            [mock.call('tap0', 'sudo', namespace=ns),
+            [mock.call('tap0', self.conf.root_helper, namespace=ns),
             mock.call().addr.list(scope='global', filters=['permanent']),
             mock.call().addr.add(4, '192.168.1.2/24', '192.168.1.255'),
             mock.call().addr.delete(4, '172.16.77.240/24')])
@ -158,9 +161,9 @@ class TestOVSInterfaceDriver(TestBase):
                     'aa:bb:cc:dd:ee:ff',
                     bridge=bridge,
                     namespace=namespace)
-            execute.assert_called_once_with(vsctl_cmd, 'sudo')
+            execute.assert_called_once_with(vsctl_cmd, self.conf.root_helper)

-        expected = [mock.call('sudo'),
+        expected = [mock.call(self.conf.root_helper),
                    mock.call().device('tap0'),
                    mock.call().device().link.set_address('aa:bb:cc:dd:ee:ff')]
        expected.extend(additional_expectation)
@ -183,7 +186,7 @@ class TestOVSInterfaceDriver(TestBase):
        with mock.patch('astara.common.linux.ovs_lib.OVSBridge') as ovs_br:
            ovs = interface.OVSInterfaceDriver(self.conf)
            ovs.unplug('tap0')
-            ovs_br.assert_has_calls([mock.call(bridge, 'sudo'),
+            ovs_br.assert_has_calls([mock.call(bridge, self.conf.root_helper),
                                     mock.call().delete_port('tap0')])


@ -216,7 +219,8 @@ class TestBridgeInterfaceDriver(TestBase):
                'aa:bb:cc:dd:ee:ff',
                namespace=namespace)

-        ip_calls = [mock.call('sudo'), mock.call().add_veth('tap0', 'ns-0')]
+        ip_calls = [mock.call(self.conf.root_helper),
+                    mock.call().add_veth('tap0', 'ns-0')]
        if namespace:
            ip_calls.extend([
                mock.call().ensure_namespace('01234567-1234-1234-99'),
@ -246,7 +250,9 @@ class TestBridgeInterfaceDriver(TestBase):
        with mock.patch('astara.common.linux.interface.LOG') as log:
            br = interface.BridgeInterfaceDriver(self.conf)
            br.unplug('tap0')
-            [mock.call(), mock.call('tap0', 'sudo'), mock.call().link.delete()]
+            [mock.call(),
+             mock.call('tap0', self.conf.root_helper),
+             mock.call().link.delete()]
            self.assertEqual(log.exception.call_count, 1)

    def test_unplug(self):
@ -256,5 +262,6 @@ class TestBridgeInterfaceDriver(TestBase):
            br.unplug('tap0')
            self.assertEqual(log.call_count, 1)

-        self.ip_dev.assert_has_calls([mock.call('tap0', 'sudo', None),
-                                      mock.call().link.delete()])
+        self.ip_dev.assert_has_calls([
+            mock.call('tap0', self.conf.root_helper, None),
+            mock.call().link.delete()])
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -63,6 +63,13 @@ function configure_astara() {
    sudo mkdir -p $ASTARA_CACHE_DIR
    sudo chown $STACK_USER $ASTARA_CACHE_DIR

+    if [[ ! -d $ASTARA_CONF_DIR/rootwrap.d ]]; then
+        sudo mkdir -p $ASTARA_CONF_DIR/rootwrap.d
+    fi
+
+    sudo cp $ASTARA_DIR/etc/rootwrap.conf $ASTARA_CONF_DIR
+    sudo cp $ASTARA_DIR/etc/rootwrap.d/* $ASTARA_CONF_DIR/rootwrap.d/
+
    cp $ASTARA_DIR/etc/orchestrator.ini $ASTARA_CONF
    iniset $ASTARA_CONF DEFAULT verbose True
    configure_auth_token_middleware $ASTARA_CONF $Q_ADMIN_USERNAME $ASTARA_CACHE_DIR
--- a/etc/orchestrator.ini
+++ b/etc/orchestrator.ini
@ -56,7 +56,7 @@ control_exchange = quantum
 neutron_port_security_extension_enabled = True

 [AGENT]
-root_helper=sudo
+root_helper=sudo astara-rootwrap /etc/astara/rootwrap.conf

 # If running multiple astara instances, configure use of an external
 # cluster coordinator here. For more information on supported coordination
--- a/etc/rootwrap.conf
+++ b/etc/rootwrap.conf
@ -0,0 +1,27 @@
+# Configuration for astara-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/astara/rootwrap.d
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, local0, local1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
--- a/etc/rootwrap.d/network.filters
+++ b/etc/rootwrap.d/network.filters
@ -0,0 +1,18 @@
+# astara-rootwrap command filters for astara
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+# astara/common/linux/ip_lib.py: 'ip', 'link', ..
+# astara/common/linux/ip_lib.py: 'ip', 'addr', ..
+# astara/common/linux/ip_lib.py: 'ip', 'route', ..
+ip: IpFilter, ip, root
+
+# astara/common/linux/ip_lib.py: 'ip', 'netns', 'exec', 'namespace', 'ip', ..
+ip_exec: IpNetnsExecFilter, ip, root
+
+# astara/common/linux/interface.py: 'ovs-vsctl'..
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+
+# astara/common/linux/ovs_lib.py: 'ovs-ofctl'..
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+
--- a/releasenotes/notes/astara-rootwrap-59731966fb3a0117.yaml
+++ b/releasenotes/notes/astara-rootwrap-59731966fb3a0117.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - >
+    `Blueprint astara-rootwrap <https://blueprints.launchpad.net/astara/+spec/astara-rootwrap>`_ \-
+    We replace shelling out directly to sudo with the oslo.rootwrap library.
--- a/requirements.txt
+++ b/requirements.txt
@ -14,6 +14,7 @@ oslo.log>=1.14.0 # Apache-2.0
 oslo.messaging!=2.8.0,!=3.1.0,>2.6.1 # Apache-2.0
 oslo.serialization>=1.10.0 # Apache-2.0
 oslo.utils>=3.2.0 # Apache-2.0
+oslo.rootwrap>=2.0.0 # Apache-2.0
 WebOb>=1.2.3
 python-novaclient!=2.33.0,>=2.29.0
 cliff>=1.15.0 # Apache-2.0
--- a/setup.cfg
+++ b/setup.cfg
@ -37,6 +37,7 @@ console_scripts =
    astara-debug-router=astara.debug:debug_one_router
    astara-dbsync=astara.db.sqlalchemy.dbsync:main
    astara-ctl=astara.cli.main:main
+    astara-rootwrap=oslo_rootwrap.cmd:main
 astara.cli =
    config reload=astara.cli.config:ConfigReload