From 5bcbb65f3c0383a22ebb749a9251f689755e464c Mon Sep 17 00:00:00 2001 From: Thierry Carrez Date: Wed, 29 Feb 2012 16:22:42 +0100 Subject: [PATCH] Add missing filters for new root commands Add missing rootwrap filters for 'ovs-ofctl', 'cp' and 'mkfs'. Do not run 'rm' as root since it's unnecessary. Add documentation to try to prevent future misses. Fixes bug 943293. Change-Id: Ia680048a28a75f661a136d8447ff0aaf195649ba --- nova/rootwrap/compute.py | 9 +++++++++ nova/rootwrap/network.py | 3 +++ nova/utils.py | 2 ++ nova/virt/disk/api.py | 4 ++-- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/nova/rootwrap/compute.py b/nova/rootwrap/compute.py index 65e6dfebbd3..445e797d4ff 100755 --- a/nova/rootwrap/compute.py +++ b/nova/rootwrap/compute.py @@ -73,6 +73,9 @@ # nova/virt/disk/api.py: 'chmod', 755, netdir filters.CommandFilter("/bin/chmod", "root"), + # nova/virt/disk/api.py: 'cp', os.path.join(fs... + filters.CommandFilter("/bin/cp", "root"), + # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev @@ -102,6 +105,9 @@ # nova/network/linux_net.py: 'ovs-vsctl', .... filters.CommandFilter("/usr/bin/ovs-vsctl", "root"), + # nova/network/linux_net.py: 'ovs-ofctl', .... + filters.CommandFilter("/usr/bin/ovs-ofctl", "root"), + # nova/virt/libvirt/connection.py: 'dd', "if=%s" % virsh_output, ... filters.CommandFilter("/bin/dd", "root"), @@ -169,6 +175,9 @@ # nova/virt/xenapi/vm_utils.py: 'mkswap' filters.CommandFilter("/sbin/mkswap", "root"), + # nova/virt/xenapi/vm_utils.py: 'mkfs' + filters.CommandFilter("/sbin/mkfs", "root"), + # nova/virt/libvirt/connection.py: filters.ReadFileFilter("/etc/iscsi/initiatorname.iscsi"), ] diff --git a/nova/rootwrap/network.py b/nova/rootwrap/network.py index f9fd9b9c33c..62fec18e49b 100755 --- a/nova/rootwrap/network.py +++ b/nova/rootwrap/network.py @@ -83,4 +83,7 @@ # nova/network/linux_net.py: 'ovs-vsctl', .... filters.CommandFilter("/usr/bin/ovs-vsctl", "root"), + + # nova/network/linux_net.py: 'ovs-ofctl', .... + filters.CommandFilter("/usr/bin/ovs-ofctl", "root"), ] diff --git a/nova/utils.py b/nova/utils.py index df008c09025..a224b38784c 100644 --- a/nova/utils.py +++ b/nova/utils.py @@ -164,6 +164,8 @@ def fetchfile(url, target): def execute(*cmd, **kwargs): """ Helper method to execute command with optional retry. + If you add a run_as_root=True command, don't forget to add the + corresponding filter to nova.rootwrap ! :cmd Passed to subprocess.Popen. :process_input Send to opened process. diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py index 42ad683a664..8fdc59b803f 100644 --- a/nova/virt/disk/api.py +++ b/nova/virt/disk/api.py @@ -373,10 +373,10 @@ def _inject_admin_password_into_fs(admin_passwd, fs, execute=None): _set_passwd(admin_user, admin_passwd, tmp_passwd, tmp_shadow) utils.execute('cp', tmp_passwd, os.path.join(fs, 'etc', 'passwd'), run_as_root=True) - utils.execute('rm', tmp_passwd, run_as_root=True) + os.unlink(tmp_passwd) utils.execute('cp', tmp_shadow, os.path.join(fs, 'etc', 'shadow'), run_as_root=True) - utils.execute('rm', tmp_shadow, run_as_root=True) + os.unlink(tmp_shadow) def _set_passwd(username, admin_passwd, passwd_file, shadow_file):