Move xenapi xenstore_read's to privsep.

Self explainatory really.

Change-Id: I1d63dd771e4f44ac131c37563bff42b970c44a09
blueprint: hurrah-for-privsep

nova/privsep/xenapi.py

@@ -0,0 +1,26 @@
+# Copyright 2018 Michael Still and Aptira
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""
+xenapi specific routines.
+"""
+
+from oslo_concurrency import processutils
+
+import nova.privsep
+
+
+@nova.privsep.sys_admin_pctxt.entrypoint
+def xenstore_read(path):
+    return processutils.execute('xenstore-read', path)

nova/tests/unit/virt/xenapi/test_vm_utils.py

@@ -198,22 +198,16 @@ class XenAPIGetUUID(VMUtilsTestBase):
                          vm_utils.get_this_vm_uuid(None))
         self.mox.VerifyAll()
 
-    def test_get_this_vm_uuid_old_kernel_reboot(self):
-        self.mox.StubOutWithMock(vm_utils, '_get_sys_hypervisor_uuid')
-        self.mox.StubOutWithMock(utils, 'execute')
+    @mock.patch('nova.virt.xenapi.vm_utils._get_sys_hypervisor_uuid')
+    @mock.patch('nova.privsep.xenapi.xenstore_read')
+    def test_get_this_vm_uuid_old_kernel_reboot(self, fake_read, fake_uuid):
+        fake_uuid.side_effect = IOError(13, 'Permission denied')
+        fake_read.side_effect = [
+            ('27', ''),
+            ('/vm/2f46f0f5-f14c-ef1b-1fac-9eeca0888a3f', '')]
 
-        vm_utils._get_sys_hypervisor_uuid().AndRaise(
-            IOError(13, 'Permission denied'))
-        utils.execute('xenstore-read', 'domid', run_as_root=True).AndReturn(
-            ('27', ''))
-        utils.execute('xenstore-read', '/local/domain/27/vm',
-                      run_as_root=True).AndReturn(
-            ('/vm/2f46f0f5-f14c-ef1b-1fac-9eeca0888a3f', ''))
-
-        self.mox.ReplayAll()
         self.assertEqual('2f46f0f5-f14c-ef1b-1fac-9eeca0888a3f',
                          vm_utils.get_this_vm_uuid(None))
-        self.mox.VerifyAll()
 
 
 class FakeSession(object):

nova/virt/xenapi/vm_utils.py

@@ -54,6 +54,7 @@ from nova.network import model as network_model
 from nova.objects import diagnostics
 from nova.objects import fields as obj_fields
 import nova.privsep.fs
+import nova.privsep.xenapi
 from nova import utils
 from nova.virt import configdrive
 from nova.virt.disk import api as disk
@@ -2235,10 +2236,9 @@ def get_this_vm_uuid(session):
         # Some guest kernels (without 5c13f8067745efc15f6ad0158b58d57c44104c25)
         # cannot read from uuid after a reboot.  Fall back to trying xenstore.
         # See https://bugs.launchpad.net/ubuntu/+source/xen-api/+bug/1081182
-        domid, _ = utils.execute('xenstore-read', 'domid', run_as_root=True)
-        vm_key, _ = utils.execute('xenstore-read',
-                                 '/local/domain/%s/vm' % domid.strip(),
-                                 run_as_root=True)
+        domid, _ = nova.privsep.xenapi.xenstore_read('domid')
+        vm_key, _ = nova.privsep.xenapi.xenstore_read(
+            '/local/domain/%s/vm' % domid.strip())
         return vm_key.strip()[4:]
 
 

releasenotes/notes/privsep-rocky-rootwrap-adds-644c43fbd86f9f8a.yaml

@@ -2,4 +2,4 @@
 upgrade:
   - |
     The following commands are no longer required to be listed in your rootwrap
-    configuration: mkfs; tune2fs.
+    configuration: mkfs; tune2fs; xenstore_read.