Astara appliance oslo.rootwrap
Use oslo.rootwrap to replace the default root_helper sudo. Change-Id: I5875cd647a4cc4f60f3058a98ea8a829cf056c43 Implements: blueprint astara-rootwrap
This commit is contained in:
parent
a8a67c3f9d
commit
abd07978e0
|
@ -29,12 +29,33 @@
|
||||||
- name: install gunicorn config file
|
- name: install gunicorn config file
|
||||||
template: src=gunicorn.j2 dest=/etc/astara_gunicorn_config.py
|
template: src=gunicorn.j2 dest=/etc/astara_gunicorn_config.py
|
||||||
|
|
||||||
|
- name: add gunicorn user
|
||||||
|
command: useradd -r gunicorn
|
||||||
|
|
||||||
- name: install init.d files
|
- name: install init.d files
|
||||||
copy: src={{playbook_dir}}/../scripts/etc/init.d/{{item}} dest=/etc/init.d/{{item}} mode=0555
|
copy: src={{playbook_dir}}/../scripts/etc/init.d/{{item}} dest=/etc/init.d/{{item}} mode=0555
|
||||||
with_items:
|
with_items:
|
||||||
- metadata
|
- metadata
|
||||||
- astara-router-api-server
|
- astara-router-api-server
|
||||||
|
|
||||||
|
- name: install rootwrap config file
|
||||||
|
copy: src={{playbook_dir}}/../etc/rootwrap.conf dest=/etc/rootwrap.conf mode=0555
|
||||||
|
|
||||||
|
- name: create /etc/rootwrap.d/
|
||||||
|
file: path=/etc/rootwrap.d/ state=directory
|
||||||
|
|
||||||
|
- name: install rootwrap rules file
|
||||||
|
copy: src={{playbook_dir}}/../etc/rootwrap.d/ dest=/etc/rootwrap.d/ mode=0555
|
||||||
|
with_items:
|
||||||
|
- network.filters
|
||||||
|
|
||||||
|
- stat: path=/etc/sudoers.d
|
||||||
|
register: sudoers_dir
|
||||||
|
|
||||||
|
- name: install sudoer file
|
||||||
|
when: sudoers_dir.stat.exists == True
|
||||||
|
template: src=gunicorn dest=/etc/sudoers.d/gunicorn mode=0440
|
||||||
|
|
||||||
- name: create /usr/local/share/astara/
|
- name: create /usr/local/share/astara/
|
||||||
file: path=/usr/local/share/astara state=directory
|
file: path=/usr/local/share/astara state=directory
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
gunicorn ALL = (root) NOPASSWD: /usr/local/bin/astara-rootwrap /etc/rootwrap.conf *
|
|
@ -42,7 +42,7 @@ def _get_cache():
|
||||||
_cache = make_region().configure(
|
_cache = make_region().configure(
|
||||||
'dogpile.cache.dbm',
|
'dogpile.cache.dbm',
|
||||||
arguments={
|
arguments={
|
||||||
"filename": "/etc/astara-state"
|
"filename": "/tmp/astara-state"
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
return _cache
|
return _cache
|
||||||
|
|
|
@ -83,7 +83,7 @@ class ARPManager(base.Manager):
|
||||||
A class to interact with entries in the ARP cache. Currently only really
|
A class to interact with entries in the ARP cache. Currently only really
|
||||||
provides support for deleting stuff from the cache.
|
provides support for deleting stuff from the cache.
|
||||||
"""
|
"""
|
||||||
EXECUTABLE = '/usr/sbin/arp'
|
EXECUTABLE = 'arp'
|
||||||
|
|
||||||
def send_gratuitous_arp_for_floating_ips(self, config, generic_to_host):
|
def send_gratuitous_arp_for_floating_ips(self, config, generic_to_host):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -24,7 +24,7 @@ class Manager(object):
|
||||||
modules.
|
modules.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes Manager class. <root_helper> provides a facility to specify
|
Initializes Manager class. <root_helper> provides a facility to specify
|
||||||
how this class accesses escalated privileges. Defaults to 'sudo'.
|
how this class accesses escalated privileges. Defaults to 'sudo'.
|
||||||
|
|
|
@ -30,7 +30,7 @@ class BirdManager(base.Manager):
|
||||||
"""
|
"""
|
||||||
A class to interact with BIRD, an internet routing protocol daemon.
|
A class to interact with BIRD, an internet routing protocol daemon.
|
||||||
"""
|
"""
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes BirdManager class.
|
Initializes BirdManager class.
|
||||||
|
|
||||||
|
@ -59,11 +59,11 @@ class BirdManager(base.Manager):
|
||||||
Restart the BIRD daemon using the system provided init scripts.
|
Restart the BIRD daemon using the system provided init scripts.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
utils.execute(['/etc/init.d/bird6', 'status'], self.root_helper)
|
utils.execute(['service', 'bird6', 'status'], self.root_helper)
|
||||||
except: # pragma no cover
|
except: # pragma no cover
|
||||||
utils.execute(['/etc/init.d/bird6', 'start'], self.root_helper)
|
utils.execute(['service', 'bird6', 'start'], self.root_helper)
|
||||||
else: # pragma no cover
|
else: # pragma no cover
|
||||||
utils.execute(['/etc/init.d/bird6', 'reload'], self.root_helper)
|
utils.execute(['service', 'bird6', 'reload'], self.root_helper)
|
||||||
|
|
||||||
|
|
||||||
def build_config(config, interface_map):
|
def build_config(config, interface_map):
|
||||||
|
|
|
@ -29,7 +29,7 @@ DEFAULT_LEASE = 86400
|
||||||
|
|
||||||
class DHCPManager(base.Manager):
|
class DHCPManager(base.Manager):
|
||||||
"""A class to manage dnsmasq."""
|
"""A class to manage dnsmasq."""
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes DHCPManager class.
|
Initializes DHCPManager class.
|
||||||
|
|
||||||
|
@ -45,7 +45,8 @@ class DHCPManager(base.Manager):
|
||||||
"""
|
"""
|
||||||
for f in os.listdir(CONF_DIR):
|
for f in os.listdir(CONF_DIR):
|
||||||
if f.endswith('.conf'):
|
if f.endswith('.conf'):
|
||||||
os.remove(os.path.join(CONF_DIR, f))
|
utils.execute(['rm', '-f', os.path.join(CONF_DIR, f)],
|
||||||
|
self.root_helper)
|
||||||
|
|
||||||
def update_network_dhcp_config(self, ifname, network):
|
def update_network_dhcp_config(self, ifname, network):
|
||||||
"""
|
"""
|
||||||
|
@ -139,7 +140,7 @@ class DHCPManager(base.Manager):
|
||||||
Restarts dnsmasq service using the system provided init script.
|
Restarts dnsmasq service using the system provided init script.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
utils.execute([RC_PATH, 'stop'], self.root_helper)
|
utils.execute(['service', 'dnsmasq', 'stop'], self.root_helper)
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
@ -149,7 +150,7 @@ class DHCPManager(base.Manager):
|
||||||
remaining -= 1
|
remaining -= 1
|
||||||
try:
|
try:
|
||||||
utils.execute(
|
utils.execute(
|
||||||
[RC_PATH, 'start'], self.root_helper
|
['service', 'dnsmasq', 'start'], self.root_helper
|
||||||
)
|
)
|
||||||
return
|
return
|
||||||
except Exception:
|
except Exception:
|
||||||
|
|
|
@ -20,7 +20,7 @@ from astara_router import utils
|
||||||
|
|
||||||
|
|
||||||
class HostnameManager(base.Manager):
|
class HostnameManager(base.Manager):
|
||||||
EXECUTABLE = '/bin/hostname'
|
EXECUTABLE = 'hostname'
|
||||||
|
|
||||||
def update(self, config):
|
def update(self, config):
|
||||||
self.update_hostname(config)
|
self.update_hostname(config)
|
||||||
|
|
|
@ -39,9 +39,9 @@ class IPManager(base.Manager):
|
||||||
configuration information.
|
configuration information.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
EXECUTABLE = '/sbin/ip'
|
EXECUTABLE = 'ip'
|
||||||
|
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""Initializes resources for the IPManager class"""
|
"""Initializes resources for the IPManager class"""
|
||||||
super(IPManager, self).__init__(root_helper)
|
super(IPManager, self).__init__(root_helper)
|
||||||
self.next_generic_index = 0
|
self.next_generic_index = 0
|
||||||
|
|
|
@ -89,14 +89,14 @@ class IPTablesManager(base.Manager):
|
||||||
netfilter-persistent as a plugin, so use that instead if it is
|
netfilter-persistent as a plugin, so use that instead if it is
|
||||||
available
|
available
|
||||||
'''
|
'''
|
||||||
_init = '/etc/init.d/%s-persistent'
|
_init = '%s-persistent'
|
||||||
if os.path.isfile(_init % 'netfilter'):
|
if os.path.isfile('/etc/init.d/netfilter-persistent'):
|
||||||
init = _init % 'netfilter'
|
init = _init % 'netfilter'
|
||||||
else:
|
else:
|
||||||
init = _init % 'iptables'
|
init = _init % 'iptables'
|
||||||
|
|
||||||
utils.execute(
|
utils.execute(
|
||||||
[init, 'restart'],
|
['service', init, 'restart'],
|
||||||
self.root_helper
|
self.root_helper
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -108,8 +108,8 @@ class IPTablesManager(base.Manager):
|
||||||
|
|
||||||
:rtype: str
|
:rtype: str
|
||||||
'''
|
'''
|
||||||
v4 = utils.execute(['iptables', '-L', '-n'])
|
v4 = utils.execute(['iptables', '-L', '-n'], self.root_helper)
|
||||||
v6 = utils.execute(['ip6tables', '-L', '-n'])
|
v6 = utils.execute(['ip6tables', '-L', '-n'], self.root_helper)
|
||||||
return v4 + v6
|
return v4 + v6
|
||||||
|
|
||||||
def get_external_network(self, config):
|
def get_external_network(self, config):
|
||||||
|
|
|
@ -33,7 +33,7 @@ class NginxLB(base.Manager):
|
||||||
os.path.dirname(__file__), 'nginx.conf.template')
|
os.path.dirname(__file__), 'nginx.conf.template')
|
||||||
INIT = 'nginx'
|
INIT = 'nginx'
|
||||||
|
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes DHCPManager class.
|
Initializes DHCPManager class.
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ class MetadataManager(base.Manager):
|
||||||
A class to provide facilities to interact with the Nova metadata service.
|
A class to provide facilities to interact with the Nova metadata service.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes MetataManager class.
|
Initializes MetataManager class.
|
||||||
|
|
||||||
|
@ -88,20 +88,20 @@ class MetadataManager(base.Manager):
|
||||||
determined to be stopped.
|
determined to be stopped.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
execute(['/etc/init.d/metadata', 'status'], self.root_helper)
|
execute(['service', 'metadata', 'status'], self.root_helper)
|
||||||
except:
|
except:
|
||||||
execute(['/etc/init.d/metadata', 'start'], self.root_helper)
|
execute(['service', 'metadata', 'start'], self.root_helper)
|
||||||
|
|
||||||
def restart(self):
|
def restart(self):
|
||||||
"""
|
"""
|
||||||
Restarts the metadata service using the init script.
|
Restarts the metadata service using the init script.
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
execute(['/etc/init.d/metadata', 'stop'], self.root_helper)
|
execute(['service', 'metadata', 'stop'], self.root_helper)
|
||||||
except:
|
except:
|
||||||
# failure is ok here
|
# failure is ok here
|
||||||
pass
|
pass
|
||||||
execute(['/etc/init.d/metadata', 'start'], self.root_helper)
|
execute(['service', 'metadata', 'start'], self.root_helper)
|
||||||
|
|
||||||
|
|
||||||
def build_config(config):
|
def build_config(config):
|
||||||
|
|
|
@ -28,11 +28,11 @@ class PingManager(base.Manager):
|
||||||
"""
|
"""
|
||||||
|
|
||||||
exe_map = {
|
exe_map = {
|
||||||
4: '/bin/ping',
|
4: 'ping',
|
||||||
6: '/bin/ping6'
|
6: 'ping6'
|
||||||
}
|
}
|
||||||
|
|
||||||
def __init__(self, root_helper='sudo'):
|
def __init__(self, root_helper='sudo astara-rootwrap /etc/rootwrap.conf'):
|
||||||
"""
|
"""
|
||||||
Initializes PingManager class.
|
Initializes PingManager class.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
vim:
|
|
@ -0,0 +1,27 @@
|
||||||
|
# Configuration for astara-rootwrap
|
||||||
|
# This file should be owned by (and only-writeable by) the root user
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
# List of directories to load filter definitions from (separated by ',').
|
||||||
|
# These directories MUST all be only writeable by root !
|
||||||
|
filters_path=/etc/rootwrap.d
|
||||||
|
|
||||||
|
# List of directories to search executables in, in case filters do not
|
||||||
|
# explicitely specify a full path (separated by ',')
|
||||||
|
# If not specified, defaults to system PATH environment variable.
|
||||||
|
# These directories MUST all be only writeable by root !
|
||||||
|
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
|
||||||
|
|
||||||
|
# Enable logging to syslog
|
||||||
|
# Default value is False
|
||||||
|
use_syslog=False
|
||||||
|
|
||||||
|
# Which syslog facility to use.
|
||||||
|
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||||
|
# Default value is 'syslog'
|
||||||
|
syslog_log_facility=syslog
|
||||||
|
|
||||||
|
# Which messages to log.
|
||||||
|
# INFO means log all usage
|
||||||
|
# ERROR means only log unsuccessful attempts
|
||||||
|
syslog_log_level=ERROR
|
|
@ -0,0 +1,38 @@
|
||||||
|
# astara-rootwrap command filters for astara-appliance
|
||||||
|
# This file should be owned by (and only-writeable by) the root user
|
||||||
|
|
||||||
|
[Filters]
|
||||||
|
# astara_router/drivers/bird.py:
|
||||||
|
mv_bird: RegExpFilter, mv, root, mv, /tmp/bird6\.conf, /etc/bird/bird6\.conf
|
||||||
|
|
||||||
|
# astara_router/drivers/arp.py: 'arp'..
|
||||||
|
arp: CommandFilter, /usr/sbin/arp, root
|
||||||
|
|
||||||
|
# astara_router/drivers/dnsmasq.py:
|
||||||
|
mv_dnsmasq: RegExpFilter, mv, root, mv, /tmp/dnsmasq\.conf, /etc/dnsmasq\.d/.*\.conf
|
||||||
|
rm: CommandFilter, rm, root
|
||||||
|
|
||||||
|
# astara_router/drivers/hostname.py:
|
||||||
|
hostname: CommandFilter, /bin/hostname, root
|
||||||
|
mv_hostname: RegExpFilter, mv, root, mv, /tmp/hostname, /etc/hostname
|
||||||
|
mv_hosts: RegExpFilter, mv, root, mv, /tmp/hosts, /etc/hosts
|
||||||
|
|
||||||
|
# astara_router/drivers/ip.py:
|
||||||
|
ip: IpFilter, ip, root
|
||||||
|
sysctl: CommandFilter, sysctl, root
|
||||||
|
conntrack: CommandFilter, conntrack, root
|
||||||
|
|
||||||
|
# astara_router/drivers/ping.py:
|
||||||
|
ping: CommandFilter, ping, root
|
||||||
|
ping6: CommandFilter, ping6, root
|
||||||
|
|
||||||
|
# astara_router/drivers/iptables.py:
|
||||||
|
mv_rules: RegExpFilter, mv, root, mv, /tmp/ip.*tables\.rules, /etc/iptables/rules\.v.*
|
||||||
|
iptables: CommandFilter, iptables, root
|
||||||
|
ip6tables: CommandFilter, ip6tables, root
|
||||||
|
|
||||||
|
# astara_router/drivers/metadata.py:
|
||||||
|
mv_metadata: RegExpFilter, mv, root, mv, /tmp/metadata\.conf, /etc/metadata\.conf
|
||||||
|
|
||||||
|
# astara services
|
||||||
|
services: CommandFilter, service, root
|
|
@ -7,3 +7,4 @@ netaddr!=0.7.16,>=0.7.12 # BSD
|
||||||
eventlet>=0.18.2 # MIT
|
eventlet>=0.18.2 # MIT
|
||||||
requests!=2.9.0,>=2.8.1 # Apache-2.0
|
requests!=2.9.0,>=2.8.1 # Apache-2.0
|
||||||
greenlet>=0.3.2 # MIT
|
greenlet>=0.3.2 # MIT
|
||||||
|
oslo.rootwrap>=2.0.0 # Apache-2.0
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||||
DAEMON="/usr/bin/gunicorn"
|
DAEMON="/usr/bin/gunicorn"
|
||||||
NAME="astara-router-api-server"
|
NAME="astara-router-api-server"
|
||||||
OPTIONS="--pythonpath /usr/local/share/astara -c /etc/astara_gunicorn_config.py astara_router.api.server:app"
|
OPTIONS="--user gunicorn --pythonpath /usr/local/share/astara -c /etc/astara_gunicorn_config.py astara_router.api.server:app"
|
||||||
PIDFILE=/var/run/gunicorn.pid
|
PIDFILE=/var/run/gunicorn.pid
|
||||||
|
|
||||||
test -x $DAEMON || exit 0
|
test -x $DAEMON || exit 0
|
||||||
|
|
|
@ -35,6 +35,7 @@ console_scripts =
|
||||||
astara-api-dev-server=astara_router.api.server:main
|
astara-api-dev-server=astara_router.api.server:main
|
||||||
astara-metadata-proxy=astara_router.metadata_proxy:main
|
astara-metadata-proxy=astara_router.metadata_proxy:main
|
||||||
astara-gratuitous-arp=astara_router.drivers.arp:send_gratuitous_arp
|
astara-gratuitous-arp=astara_router.drivers.arp:send_gratuitous_arp
|
||||||
|
astara-rootwrap=oslo_rootwrap.cmd:main
|
||||||
|
|
||||||
[build_sphinx]
|
[build_sphinx]
|
||||||
all_files = 1
|
all_files = 1
|
||||||
|
|
|
@ -131,16 +131,20 @@ class ARPTest(unittest2.TestCase):
|
||||||
)
|
)
|
||||||
assert execute.call_args_list == [
|
assert execute.call_args_list == [
|
||||||
mock.call(
|
mock.call(
|
||||||
['astara-gratuitous-arp', 'eth1', '172.16.77.50'], 'sudo'
|
['astara-gratuitous-arp', 'eth1', '172.16.77.50'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
),
|
),
|
||||||
mock.call(
|
mock.call(
|
||||||
['astara-gratuitous-arp', 'eth1', '172.16.77.51'], 'sudo'
|
['astara-gratuitous-arp', 'eth1', '172.16.77.51'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
),
|
),
|
||||||
mock.call(
|
mock.call(
|
||||||
['astara-gratuitous-arp', 'eth1', '172.16.77.52'], 'sudo'
|
['astara-gratuitous-arp', 'eth1', '172.16.77.52'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
),
|
),
|
||||||
mock.call(
|
mock.call(
|
||||||
['astara-gratuitous-arp', 'eth1', '172.16.77.53'], 'sudo'
|
['astara-gratuitous-arp', 'eth1', '172.16.77.53'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
@ -90,14 +90,16 @@ class BirdTestCase(TestCase):
|
||||||
)
|
)
|
||||||
self.mock_execute.assert_called_once_with(
|
self.mock_execute.assert_called_once_with(
|
||||||
['mv', '/tmp/bird6.conf', '/etc/bird/bird6.conf'],
|
['mv', '/tmp/bird6.conf', '/etc/bird/bird6.conf'],
|
||||||
'sudo'
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_restart(self):
|
def test_restart(self):
|
||||||
self.mgr.restart()
|
self.mgr.restart()
|
||||||
self.mock_execute.assert_has_calls([
|
self.mock_execute.assert_has_calls([
|
||||||
mock.call(['/etc/init.d/bird6', 'status'], 'sudo'),
|
mock.call(['service', 'bird6', 'status'],
|
||||||
mock.call(['/etc/init.d/bird6', 'reload'], 'sudo'),
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['service', 'bird6', 'reload'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
])
|
])
|
||||||
|
|
||||||
def test_restart_failure(self):
|
def test_restart_failure(self):
|
||||||
|
@ -105,8 +107,10 @@ class BirdTestCase(TestCase):
|
||||||
execute.side_effect = [Exception('status failed!'), None]
|
execute.side_effect = [Exception('status failed!'), None]
|
||||||
self.mgr.restart()
|
self.mgr.restart()
|
||||||
execute.assert_has_calls([
|
execute.assert_has_calls([
|
||||||
mock.call(['/etc/init.d/bird6', 'status'], 'sudo'),
|
mock.call(['service', 'bird6', 'status'],
|
||||||
mock.call(['/etc/init.d/bird6', 'start'], 'sudo'),
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['service', 'bird6', 'start'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
])
|
])
|
||||||
|
|
||||||
def test_build_config(self):
|
def test_build_config(self):
|
||||||
|
|
|
@ -109,7 +109,7 @@ class DnsmasqTestCase(TestCase):
|
||||||
)
|
)
|
||||||
self.mock_execute.assert_called_once_with(
|
self.mock_execute.assert_called_once_with(
|
||||||
['mv', '/tmp/dnsmasq.conf', '/etc/dnsmasq.d/em1.conf'],
|
['mv', '/tmp/dnsmasq.conf', '/etc/dnsmasq.d/em1.conf'],
|
||||||
'sudo'
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_build_dhcp_config(self):
|
def test_build_dhcp_config(self):
|
||||||
|
@ -136,6 +136,8 @@ class DnsmasqTestCase(TestCase):
|
||||||
def test_restart(self):
|
def test_restart(self):
|
||||||
self.mgr.restart()
|
self.mgr.restart()
|
||||||
self.mock_execute.assert_has_calls([
|
self.mock_execute.assert_has_calls([
|
||||||
mock.call(['/etc/init.d/dnsmasq', 'stop'], 'sudo'),
|
mock.call(['service', 'dnsmasq', 'stop'],
|
||||||
mock.call(['/etc/init.d/dnsmasq', 'start'], 'sudo')
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['service', 'dnsmasq', 'start'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')
|
||||||
])
|
])
|
||||||
|
|
|
@ -41,8 +41,10 @@ class HostnameTestCase(TestCase):
|
||||||
def test_update_hostname(self):
|
def test_update_hostname(self):
|
||||||
self.mgr.update_hostname(CONFIG)
|
self.mgr.update_hostname(CONFIG)
|
||||||
self.mock_execute.assert_has_calls([
|
self.mock_execute.assert_has_calls([
|
||||||
mock.call(['/bin/hostname', 'astara'], 'sudo'),
|
mock.call(['hostname', 'astara'],
|
||||||
mock.call(['mv', '/tmp/hostname', '/etc/hostname'], 'sudo')
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['mv', '/tmp/hostname', '/etc/hostname'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')
|
||||||
])
|
])
|
||||||
|
|
||||||
def test_update_hosts(self):
|
def test_update_hosts(self):
|
||||||
|
@ -53,6 +55,7 @@ class HostnameTestCase(TestCase):
|
||||||
]))
|
]))
|
||||||
self.mgr.update_hosts(CONFIG)
|
self.mgr.update_hosts(CONFIG)
|
||||||
self.mock_execute.assert_has_calls([
|
self.mock_execute.assert_has_calls([
|
||||||
mock.call(['mv', '/tmp/hosts', '/etc/hosts'], 'sudo')
|
mock.call(['mv', '/tmp/hosts', '/etc/hosts'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')
|
||||||
])
|
])
|
||||||
self.mock_replace_file.assert_has_calls([expected])
|
self.mock_replace_file.assert_has_calls([expected])
|
||||||
|
|
|
@ -75,7 +75,7 @@ class IPTestCase(TestCase):
|
||||||
self.assertEqual(interfaces, [iface_a, iface_b])
|
self.assertEqual(interfaces, [iface_a, iface_b])
|
||||||
|
|
||||||
self.mock_execute.assert_has_calls(
|
self.mock_execute.assert_has_calls(
|
||||||
[mock.call(['/sbin/ip', 'addr', 'show'])])
|
[mock.call(['ip', 'addr', 'show'])])
|
||||||
|
|
||||||
def test_get_interface(self):
|
def test_get_interface(self):
|
||||||
iface_a = mock.Mock()
|
iface_a = mock.Mock()
|
||||||
|
@ -93,7 +93,7 @@ class IPTestCase(TestCase):
|
||||||
self.assertEqual(iface_a.ifname, 'ge0')
|
self.assertEqual(iface_a.ifname, 'ge0')
|
||||||
|
|
||||||
self.mock_execute.assert_has_calls(
|
self.mock_execute.assert_has_calls(
|
||||||
[mock.call(['/sbin/ip', 'addr', 'show'])])
|
[mock.call(['ip', 'addr', 'show'])])
|
||||||
|
|
||||||
def test_ensure_mapping(self):
|
def test_ensure_mapping(self):
|
||||||
attr = 'get_interfaces'
|
attr = 'get_interfaces'
|
||||||
|
@ -149,7 +149,8 @@ class IPTestCase(TestCase):
|
||||||
mgr.generic_mapping = {'ge0': 'em0'}
|
mgr.generic_mapping = {'ge0': 'em0'}
|
||||||
mgr.up(iface)
|
mgr.up(iface)
|
||||||
self.mock_execute.assert_has_calls(
|
self.mock_execute.assert_has_calls(
|
||||||
[mock.call(['/sbin/ip', 'link', 'set', 'em0', 'up'], 'sudo')])
|
[mock.call(['ip', 'link', 'set', 'em0', 'up'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')])
|
||||||
|
|
||||||
def test_down(self):
|
def test_down(self):
|
||||||
iface = mock.Mock()
|
iface = mock.Mock()
|
||||||
|
@ -164,7 +165,8 @@ class IPTestCase(TestCase):
|
||||||
mgr.down(iface)
|
mgr.down(iface)
|
||||||
|
|
||||||
self.mock_execute.assert_has_calls(
|
self.mock_execute.assert_has_calls(
|
||||||
[mock.call(['/sbin/ip', 'link', 'set', 'em0', 'down'], 'sudo')])
|
[mock.call(['ip', 'link', 'set', 'em0', 'down'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')])
|
||||||
|
|
||||||
def test_set_mtu(self):
|
def test_set_mtu(self):
|
||||||
iface = mock.Mock()
|
iface = mock.Mock()
|
||||||
|
@ -180,8 +182,8 @@ class IPTestCase(TestCase):
|
||||||
mgr.set_mtu(iface)
|
mgr.set_mtu(iface)
|
||||||
|
|
||||||
self.mock_execute.assert_has_calls(
|
self.mock_execute.assert_has_calls(
|
||||||
[mock.call(['/sbin/ip', 'link', 'set', 'em0', 'mtu', '1280'],
|
[mock.call(['ip', 'link', 'set', 'em0', 'mtu', '1280'],
|
||||||
'sudo')])
|
'sudo astara-rootwrap /etc/rootwrap.conf')])
|
||||||
|
|
||||||
def _update_interface_test_hlpr(self, new_iface, old_iface,
|
def _update_interface_test_hlpr(self, new_iface, old_iface,
|
||||||
ignore_link_local=True):
|
ignore_link_local=True):
|
||||||
|
@ -263,7 +265,7 @@ class IPTestCase(TestCase):
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_address_add(self):
|
def test_address_add(self):
|
||||||
cmd = '/sbin/ip'
|
cmd = 'ip'
|
||||||
v4 = netaddr.IPNetwork('192.168.105.2/24')
|
v4 = netaddr.IPNetwork('192.168.105.2/24')
|
||||||
v6 = netaddr.IPNetwork('fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64')
|
v6 = netaddr.IPNetwork('fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64')
|
||||||
iface = mock.Mock(all_addresses=[v4, v6], ifname='em0')
|
iface = mock.Mock(all_addresses=[v4, v6], ifname='em0')
|
||||||
|
@ -278,19 +280,21 @@ class IPTestCase(TestCase):
|
||||||
mock.call([
|
mock.call([
|
||||||
cmd, 'addr', 'add', '192.168.105.2/24', 'brd', '+', 'dev',
|
cmd, 'addr', 'add', '192.168.105.2/24', 'brd', '+', 'dev',
|
||||||
'em0'
|
'em0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call([cmd, 'link', 'set', 'em0', 'up'], 'sudo'),
|
mock.call([cmd, 'link', 'set', 'em0', 'up'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call([cmd, 'addr', 'show', 'em0']),
|
mock.call([cmd, 'addr', 'show', 'em0']),
|
||||||
mock.call([
|
mock.call([
|
||||||
cmd, '-6', 'addr', 'add',
|
cmd, '-6', 'addr', 'add',
|
||||||
'fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64', 'dev', 'em0'
|
'fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64', 'dev', 'em0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call([cmd, 'link', 'set', 'em0', 'up'], 'sudo'),
|
mock.call([cmd, 'link', 'set', 'em0', 'up'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call([cmd, 'addr', 'show', 'em0'])
|
mock.call([cmd, 'addr', 'show', 'em0'])
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_address_remove(self):
|
def test_address_remove(self):
|
||||||
cmd = '/sbin/ip'
|
cmd = 'ip'
|
||||||
v4 = netaddr.IPNetwork('192.168.105.2/24')
|
v4 = netaddr.IPNetwork('192.168.105.2/24')
|
||||||
v6 = netaddr.IPNetwork('fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64')
|
v6 = netaddr.IPNetwork('fdca:3ba5:a17a:acda:20c:29ff:fe94:723d/64')
|
||||||
iface = mock.Mock(all_addresses=[])
|
iface = mock.Mock(all_addresses=[])
|
||||||
|
@ -299,12 +303,15 @@ class IPTestCase(TestCase):
|
||||||
mgr = ip.IPManager()
|
mgr = ip.IPManager()
|
||||||
mgr._update_addresses('em0', iface, old_iface)
|
mgr._update_addresses('em0', iface, old_iface)
|
||||||
assert self.mock_execute.call_args_list == [
|
assert self.mock_execute.call_args_list == [
|
||||||
mock.call([cmd, 'addr', 'del', str(v4), 'dev', 'em0'], 'sudo'),
|
mock.call([cmd, 'addr', 'del', str(v4), 'dev', 'em0'],
|
||||||
mock.call(['conntrack', '-D', '-d', str(v4.ip)], 'sudo'),
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call(['conntrack', '-D', '-q', str(v4.ip)], 'sudo'),
|
mock.call(['conntrack', '-D', '-d', str(v4.ip)],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['conntrack', '-D', '-q', str(v4.ip)],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call([
|
mock.call([
|
||||||
cmd, '-6', 'addr', 'del', str(v6), 'dev', 'em0'
|
cmd, '-6', 'addr', 'del', str(v6), 'dev', 'em0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_update_set(self):
|
def test_update_set(self):
|
||||||
|
@ -331,15 +338,18 @@ class IPTestCase(TestCase):
|
||||||
|
|
||||||
assert self.mock_execute.call_args_list == [
|
assert self.mock_execute.call_args_list == [
|
||||||
mock.call([
|
mock.call([
|
||||||
'/sbin/ip', 'addr', 'add', str(a), 'dev', 'em0'
|
'ip', 'addr', 'add', str(a), 'dev', 'em0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call(['/sbin/ip', 'link', 'set', 'em0', 'up'], 'sudo'),
|
mock.call(['ip', 'link', 'set', 'em0', 'up'],
|
||||||
mock.call(['/sbin/ip', 'addr', 'show', 'em0']),
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['ip', 'addr', 'show', 'em0']),
|
||||||
mock.call([
|
mock.call([
|
||||||
'/sbin/ip', 'addr', 'del', str(c), 'dev', 'em0'
|
'ip', 'addr', 'del', str(c), 'dev', 'em0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
mock.call(['conntrack', '-D', '-d', str(c.ip)], 'sudo'),
|
mock.call(['conntrack', '-D', '-d', str(c.ip)],
|
||||||
mock.call(['conntrack', '-D', '-q', str(c.ip)], 'sudo'),
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
|
mock.call(['conntrack', '-D', '-q', str(c.ip)],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_update_set_no_diff(self):
|
def test_update_set_no_diff(self):
|
||||||
|
@ -394,7 +404,7 @@ class TestDisableDAD(TestCase):
|
||||||
assert self.mock_execute.call_args_list == [
|
assert self.mock_execute.call_args_list == [
|
||||||
mock.call([
|
mock.call([
|
||||||
'sysctl', '-w', 'net.ipv6.conf.eth0.accept_dad=0'
|
'sysctl', '-w', 'net.ipv6.conf.eth0.accept_dad=0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_dad_for_internal(self):
|
def test_dad_for_internal(self):
|
||||||
|
@ -409,7 +419,7 @@ class TestDisableDAD(TestCase):
|
||||||
assert self.mock_execute.call_args_list == [
|
assert self.mock_execute.call_args_list == [
|
||||||
mock.call([
|
mock.call([
|
||||||
'sysctl', '-w', 'net.ipv6.conf.eth2.accept_dad=0'
|
'sysctl', '-w', 'net.ipv6.conf.eth2.accept_dad=0'
|
||||||
], 'sudo'),
|
], 'sudo astara-rootwrap /etc/rootwrap.conf'),
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_sysctl_failure(self):
|
def test_sysctl_failure(self):
|
||||||
|
|
|
@ -163,11 +163,11 @@ class TestIPTablesRouterConfiguration(TestCase):
|
||||||
assert self.execute.call_args_list == [
|
assert self.execute.call_args_list == [
|
||||||
mock.call(
|
mock.call(
|
||||||
['mv', '/tmp/ip4tables.rules', '/etc/iptables/rules.v4'],
|
['mv', '/tmp/ip4tables.rules', '/etc/iptables/rules.v4'],
|
||||||
'sudo'
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
),
|
),
|
||||||
mock.call(
|
mock.call(
|
||||||
['mv', '/tmp/ip6tables.rules', '/etc/iptables/rules.v6'],
|
['mv', '/tmp/ip6tables.rules', '/etc/iptables/rules.v6'],
|
||||||
'sudo'
|
'sudo astara-rootwrap /etc/rootwrap.conf'
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -177,7 +177,8 @@ class TestIPTablesRouterConfiguration(TestCase):
|
||||||
mgr = iptables.IPTablesManager()
|
mgr = iptables.IPTablesManager()
|
||||||
mgr.restart()
|
mgr.restart()
|
||||||
assert self.execute.call_args_list == [
|
assert self.execute.call_args_list == [
|
||||||
mock.call(['/etc/init.d/iptables-persistent', 'restart'], 'sudo')
|
mock.call(['service', 'iptables-persistent', 'restart'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')
|
||||||
]
|
]
|
||||||
|
|
||||||
@mock.patch('os.path.isfile')
|
@mock.patch('os.path.isfile')
|
||||||
|
@ -186,7 +187,8 @@ class TestIPTablesRouterConfiguration(TestCase):
|
||||||
mgr = iptables.IPTablesManager()
|
mgr = iptables.IPTablesManager()
|
||||||
mgr.restart()
|
mgr.restart()
|
||||||
assert self.execute.call_args_list == [
|
assert self.execute.call_args_list == [
|
||||||
mock.call(['/etc/init.d/netfilter-persistent', 'restart'], 'sudo')
|
mock.call(['service', 'netfilter-persistent', 'restart'],
|
||||||
|
'sudo astara-rootwrap /etc/rootwrap.conf')
|
||||||
]
|
]
|
||||||
|
|
||||||
def test_mixed_floating_ip_versions(self):
|
def test_mixed_floating_ip_versions(self):
|
||||||
|
|
Loading…
Reference in New Issue