From 49ecc81bc2acc9d692a35fdac8cc125ff6575ec8 Mon Sep 17 00:00:00 2001
From: Thomas Bechtold <tbechtold@suse.com>
Date: Mon, 30 May 2016 11:52:43 +0200
Subject: [PATCH] Copy/remove the strongswan.d config as root

The strongswan.d config dir (usually /etc/strongswan.d) is usually owned
by root but the neutron-vpn-agent may run as non-root so the files need
to be copied as root to not get a "permission denied" error.

Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60
Closes-Bug: #1586986
(cherry picked from commit beff6e945ce4cf31f4a6ae977df72410dc80b717)
---
 etc/neutron/rootwrap.d/vpnaas.filters                    | 2 ++
 neutron_vpnaas/services/vpn/device_drivers/ipsec.py      | 5 +++--
 .../services/vpn/device_drivers/strongswan_ipsec.py      | 9 ++++++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/etc/neutron/rootwrap.d/vpnaas.filters b/etc/neutron/rootwrap.d/vpnaas.filters
index d834404a3..4d72d7dfc 100644
--- a/etc/neutron/rootwrap.d/vpnaas.filters
+++ b/etc/neutron/rootwrap.d/vpnaas.filters
@@ -8,9 +8,11 @@
 
 [Filters]
 
+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
diff --git a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
index 427965ae0..5d8beff2a 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
@@ -16,7 +16,6 @@ import abc
 import copy
 import os
 import re
-import shutil
 import six
 import socket
 
@@ -24,6 +23,7 @@ import eventlet
 import jinja2
 import netaddr
 from neutron.agent.linux import ip_lib
+from neutron.agent.linux import utils as agent_utils
 from neutron.api.v2 import attributes
 from neutron.common import rpc as n_rpc
 from neutron.common import utils as n_utils
@@ -217,7 +217,8 @@ class BaseSwanProcess(object):
 
     def remove_config(self):
         """Remove whole config file."""
-        shutil.rmtree(self.config_dir, ignore_errors=True)
+        agent_utils.execute(
+            cmd=["rm", "-rf", self.config_dir], run_as_root=True)
 
     def _get_config_filename(self, kind):
         config_dir = self.etc_dir
diff --git a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
index 77ac8e1a1..eb1736b29 100644
--- a/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -14,11 +14,11 @@
 #    under the License.
 
 import os
-import shutil
 
 from oslo_config import cfg
 
 from neutron.agent.linux import ip_lib
+from neutron.agent.linux import utils
 from neutron.plugins.common import constants
 
 from neutron_vpnaas._i18n import _
@@ -111,9 +111,12 @@ class StrongSwanProcess(ipsec.BaseSwanProcess):
             extra_ok_codes=extra_ok_codes)
 
     def copy_and_overwrite(self, from_path, to_path):
+        # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root
         if os.path.exists(to_path):
-            shutil.rmtree(to_path)
-        shutil.copytree(from_path, to_path)
+            utils.execute(
+                cmd=["rm", "-rf", to_path], run_as_root=True)
+        utils.execute(
+            cmd=["cp", "-a", from_path, to_path], run_as_root=True)
 
     def ensure_configs(self):
         """Generate config files which are needed for StrongSwan.