Copy/remove the strongswan.d config as root

The strongswan.d config dir (usually /etc/strongswan.d) is usually owned by root but the neutron-vpn-agent may run as non-root so the files need to be copied as root to not get a "permission denied" error. Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60 Closes-Bug: #1586986 (cherry picked from commit beff6e945c)
2016-05-30 11:52:43 +02:00 · 2016-05-30 11:52:43 +02:00 · 49ecc81bc2
parent 64cdae8b7e
commit 49ecc81bc2
3 changed files with 11 additions and 5 deletions
--- a/etc/neutron/rootwrap.d/vpnaas.filters
+++ b/etc/neutron/rootwrap.d/vpnaas.filters
@ -8,9 +8,11 @@

 [Filters]

+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
--- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
@ -16,7 +16,6 @@ import abc
 import copy
 import os
 import re
-import shutil
 import six
 import socket

@ -24,6 +23,7 @@ import eventlet
 import jinja2
 import netaddr
 from neutron.agent.linux import ip_lib
+from neutron.agent.linux import utils as agent_utils
 from neutron.api.v2 import attributes
 from neutron.common import rpc as n_rpc
 from neutron.common import utils as n_utils
@ -217,7 +217,8 @@ class BaseSwanProcess(object):

    def remove_config(self):
        """Remove whole config file."""
-        shutil.rmtree(self.config_dir, ignore_errors=True)
+        agent_utils.execute(
+            cmd=["rm", "-rf", self.config_dir], run_as_root=True)

    def _get_config_filename(self, kind):
        config_dir = self.etc_dir
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@ -14,11 +14,11 @@
 #    under the License.

 import os
-import shutil

 from oslo_config import cfg

 from neutron.agent.linux import ip_lib
+from neutron.agent.linux import utils
 from neutron.plugins.common import constants

 from neutron_vpnaas._i18n import _
@ -111,9 +111,12 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
            extra_ok_codes=extra_ok_codes)

    def copy_and_overwrite(self, from_path, to_path):
+        # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root
        if os.path.exists(to_path):
-            shutil.rmtree(to_path)
-        shutil.copytree(from_path, to_path)
+            utils.execute(
+                cmd=["rm", "-rf", to_path], run_as_root=True)
+        utils.execute(
+            cmd=["cp", "-a", from_path, to_path], run_as_root=True)

    def ensure_configs(self):
        """Generate config files which are needed for StrongSwan.