Merge "Avoid overwriting sys.path "ip" command"

This commit is contained in:
Zuul 2018-04-11 15:26:27 +00:00 committed by Gerrit Code Review
commit da8a8051b7
2 changed files with 12 additions and 10 deletions

View File

@ -329,7 +329,7 @@ The monasca-setup detection plugin for libvirt performs the following tests and
1. Ability to determine the name of the user under which monasca-agent processes run (eg, `mon-agent`)
2. Availability of the `python-neutronclient` library (by attempting to import `client` from `neutronclient.v2_0`)
3. A separate enhanced-capabilities `ip` command exists:
a. The detection plugin copies `/sbin/ip` to `sys.path[0]` (see the [configuration](#configuration) section above for an example)
a. The detection plugin copies `/sbin/ip` to `sys.path[0]/monasca-agent-ip` (see the [configuration](#configuration) section above for an example)
b. Permissions on the copy are changed to the `mon-agent` user (or whichever Agent user is configured), mode 0700.
c. The `/sbin/setcap` command is called, applying `cap_sys_admin+ep` to the copy, as `cap_sys_admin` is the only capability which provides `setns`, necessary to execute commands in a separate namespace.
d. The detection plugin confirms that the enhanced capabilities were successfully applied

View File

@ -144,19 +144,21 @@ class Libvirt(plugin.Plugin):
'required for ping checks.')
return
# Copy system 'ip' command to local directory
copy(ip_cmd, sys.path[0])
# TODO(dmllr) Find a better rundir or avoid copying the binary
# alltogether. see https://storyboard.openstack.org/#!/story/2001593
monasca_rundir = sys.path[0]
monasca_ip = "{0}/monasca-agent-ip".format(monasca_rundir)
# Copy system 'ip' command to monasca_rundir
copy(ip_cmd, monasca_ip)
# Restrict permissions on the local 'ip' command
os.chown("{0}/ip".format(sys.path[0]),
*self._get_user_uid_gid(self._agent_user))
os.chmod("{0}/ip".format(sys.path[0]),
0o700)
os.chown(monasca_ip, *self._get_user_uid_gid(self._agent_user))
os.chmod(monasca_ip, 0o700)
# Set capabilities on 'ip' which will allow
# self.agent_user to exec commands in namespaces
setcap_cmd = ['/sbin/setcap', 'cap_sys_admin+ep',
"{0}/ip".format(sys.path[0])]
monasca_ip]
subprocess.Popen(setcap_cmd, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
# Verify that the capabilities were set
@ -166,8 +168,8 @@ class Libvirt(plugin.Plugin):
for ping_cmd in ping_options:
if os.path.isfile(ping_cmd[0]):
init_config[
'ping_check'] = "{0}/ip netns exec NAMESPACE {1}".format(
sys.path[0],
'ping_check'] = "{0} netns exec NAMESPACE {1}".format(
monasca_ip,
' '.join(ping_cmd))
log.info(
"\tEnabling ping checks using {0}".format(ping_cmd[0]))