Adding virt-ssh-helpers to nova_migration sudoers and wrapper

Since libvirt 6.8.0, virt-ssh-helper is replacing the netcat command by default for live migration. This has been worked around by adding a proxy=netcat to the live migration URI in TripleO [1] but we need to have a path toward using virt-ssh-helper. Just like netcat, nova-migration-wrapper will call virt-ssh-helper using sudo as the nova user so we need to add it to sudoers as well. [1] https://review.opendev.org/779313 Closes-Bug: #1918250 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1936804 Change-Id: I946bb8e9ece47185b98b2ac69ae24a64943b92aa
rdo-packages · Feb 2, 2022 · d5aba75 · d5aba75
1 parent c19d80b
commit d5aba75
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 28 deletions.
diff --git a/nova-migration-wrapper b/nova-migration-wrapper
@@ -3,6 +3,41 @@ import os
 import sys
 import syslog
 
+# Handle libvirt ssh tunnel script snippet
+# https://github.com/libvirt/libvirt/blob/f0803dae93d62a4b8a2f67f4873c290a76d978b3/src/rpc/virnetsocket.c#L890
+LIBVIRT_SOCK = '/var/run/libvirt/libvirt-sock'
+# Need to keep this in case proxy=netcat is part of the uri string
+# https://github.com/libvirt/libvirt/blob/108676c225c8aeb49bbbd5b8e55f7dbfedc71ac0/src/rpc/virnetclient.c#L437-L444
+LIVE_MIGRATION_TUNNEL_NETCAT = (
+    "if 'nc' -q 2>&1 | grep \"requires an argument\" >/dev/null 2>&1; then "
+    "ARG=-q0;"
+    "else "
+    "ARG=;"
+    "fi;"
+    f"'nc' $ARG -U {LIBVIRT_SOCK}")
+
+# The virt-ssh-helper command string includes the origin netcat one (without the sh)
+# https://github.com/libvirt/libvirt/blob/108676c225c8aeb49bbbd5b8e55f7dbfedc71ac0/src/rpc/virnetclient.c#L452-L457
+LIVE_MIGRATION_VIRT_SSH_HELPER = (
+    "sh -c 'which virt-ssh-helper 1>/dev/null 2>&1; if test $? = 0; then     " \
+    "virt-ssh-helper 'qemu:///system'; " \
+    f"else    {LIVE_MIGRATION_TUNNEL_NETCAT}; fi'")
+# We need to put back the sh in the netcat command
+LIVE_MIGRATION_TUNNEL_NETCAT_SH = f"sh -c '{LIVE_MIGRATION_TUNNEL_NETCAT}'"
+
+COLD_MIGRATION_ROOT = '/var/lib/nova/instances/'
+COLD_MIGRATION_CMDS = [
+    ['mkdir', '-p'],
+    ['rm', '-rf'],
+    ['touch'],
+    ['rm'],
+    ['scp', '-r', '-t'],
+    ['scp', '-r', '-f'],
+    ['scp', '-t'],
+    ['scp', '-f'],
+]
+ROOTWRAP_ARGS = ['/usr/bin/nova-rootwrap', '/etc/nova/migration/rootwrap.conf']
+
 command = os.environ.get('SSH_ORIGINAL_COMMAND')
 ssh_connection = os.environ.get('SSH_CONNECTION')
 if command is None:
@@ -26,40 +61,21 @@ def deny_command(args):
     sys.stderr.write('Forbidden\n')
     sys.exit(1)
 
-# Handle libvirt ssh tunnel script snippet
-# https://github.com/libvirt/libvirt/blob/f0803dae93d62a4b8a2f67f4873c290a76d978b3/src/rpc/virnetsocket.c#L890
-libvirt_sock = '/var/run/libvirt/libvirt-sock'
-live_migration_tunnel_cmd = "sh -c 'if 'nc' -q 2>&1 | grep \"requires an argument\" >/dev/null 2>&1; then " \
-                                "ARG=-q0;" \
-                            "else " \
-                                "ARG=;" \
-                            "fi;" \
-                            "'nc' $ARG -U {}'".format(libvirt_sock)
-
-cold_migration_root = '/var/lib/nova/instances/'
-cold_migration_cmds = [
-    ['mkdir', '-p'],
-    ['rm', '-rf'],
-    ['touch'],
-    ['rm'],
-    ['scp', '-r', '-t'],
-    ['scp', '-r', '-f'],
-    ['scp', '-t'],
-    ['scp', '-f'],
-]
-rootwrap_args = ['/usr/bin/nova-rootwrap', '/etc/nova/migration/rootwrap.conf']
-
 def validate_cold_migration_cmd(args):
     target_path = os.path.normpath(args[-1])
     cmd = args[:-1]
-    return cmd in cold_migration_cmds and target_path.startswith(cold_migration_root)
+    return cmd in COLD_MIGRATION_CMDS and target_path.startswith(COLD_MIGRATION_ROOT)
 
+# TODO(dvd): Move this in TripleO
 # Rules
 args = command.split(' ')
-if command == live_migration_tunnel_cmd:
-    args = ['nc', '-U', libvirt_sock]
+if command == LIVE_MIGRATION_VIRT_SSH_HELPER:
+    args = ['virt-ssh-helper', 'qemu:///system']
+    allow_command('nova', args)
+if command == LIVE_MIGRATION_TUNNEL_NETCAT_SH:
+    args = ['nc', '-U', LIBVIRT_SOCK]
     allow_command('nova', args)
 if validate_cold_migration_cmd(args):
-    args = rootwrap_args + args
+    args = ROOTWRAP_ARGS + args
     allow_command('root', args)
 deny_command(args)
diff --git a/nova_migration-sudoers b/nova_migration-sudoers
@@ -1,4 +1,4 @@
 Defaults:nova_migration !requiretty
 
-nova_migration ALL = (nova) NOPASSWD: /usr/bin/nc -U /var/run/libvirt/libvirt-sock
+nova_migration ALL = (nova) NOPASSWD: /usr/bin/nc -U /var/run/libvirt/libvirt-sock, /usr/bin/virt-ssh-helper qemu\:///system
 nova_migration ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap /etc/nova/migration/rootwrap.conf *