From: Terry Wilson Date: Tue, 10 Feb 2015 03:32:58 +0000 (-0600) Subject: Remove root_helper arg from IptablesManager X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=6095556f96fa456fbefb33c2578cfcf0bb624338;p=openstack-build%2Fneutron-build.git Remove root_helper arg from IptablesManager Partially-Implements: blueprint rootwrap-daemon-mode Change-Id: I4b7da37df4256a1019f16c587e1738175861030e --- diff --git a/neutron/agent/l3/dvr.py b/neutron/agent/l3/dvr.py index 64eed2552..ebf4358ab 100644 --- a/neutron/agent/l3/dvr.py +++ b/neutron/agent/l3/dvr.py @@ -165,7 +165,6 @@ class AgentMixin(object): self._external_gateway_added(ri, ex_gw_port, gw_interface_name, snat_ns_name, preserve_ips=[]) ri.snat_iptables_manager = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=snat_ns_name, use_ipv6=self.use_ipv6) # kicks the FW Agent to add rules for the snat namespace diff --git a/neutron/agent/l3/dvr_fip_ns.py b/neutron/agent/l3/dvr_fip_ns.py index b11dc1345..154d1f041 100644 --- a/neutron/agent/l3/dvr_fip_ns.py +++ b/neutron/agent/l3/dvr_fip_ns.py @@ -47,7 +47,6 @@ class FipNamespace(object): self._subscribers = set() self._rule_priorities = set(range(FIP_PR_START, FIP_PR_END)) self._iptables_manager = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=self.get_name(), use_ipv6=self.use_ipv6) path = os.path.join(agent_conf.state_path, 'fip-linklocal-networks') diff --git a/neutron/agent/l3/router_info.py b/neutron/agent/l3/router_info.py index e6cafe44b..2fbbdc450 100644 --- a/neutron/agent/l3/router_info.py +++ b/neutron/agent/l3/router_info.py @@ -41,7 +41,6 @@ class RouterInfo(object): self.router = router self.ns_name = ns_name self.iptables_manager = iptables_manager.IptablesManager( - root_helper=root_helper, use_ipv6=use_ipv6, namespace=self.ns_name) self.routes = [] diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 691e0a0bb..285b5de94 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -50,7 +50,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def __init__(self): self.root_helper = cfg.CONF.AGENT.root_helper self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=ipv6_utils.is_enabled()) # TODO(majopela, shihanzhang): refactor out ipset to a separate # driver composed over this one diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index 7a7ab6275..5adf1d227 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -281,9 +281,8 @@ class IptablesManager(object): """ - def __init__(self, _execute=None, state_less=False, - root_helper=None, use_ipv6=False, namespace=None, - binary_name=binary_name): + def __init__(self, _execute=None, state_less=False, use_ipv6=False, + namespace=None, binary_name=binary_name): if _execute: self.execute = _execute else: @@ -291,7 +290,6 @@ class IptablesManager(object): config.register_iptables_opts(cfg.CONF) self.use_ipv6 = use_ipv6 - self.root_helper = root_helper self.namespace = namespace self.iptables_apply_deferred = False self.wrap_name = binary_name[:16] @@ -430,7 +428,7 @@ class IptablesManager(object): args = ['%s-save' % (cmd,), '-c'] if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args - all_tables = self.execute(args, root_helper=self.root_helper) + all_tables = self.execute(args, run_as_root=True) all_lines = all_tables.split('\n') # Traverse tables in sorted order for predictable dump output for table_name in sorted(tables): @@ -444,7 +442,7 @@ class IptablesManager(object): args = ['ip', 'netns', 'exec', self.namespace] + args try: self.execute(args, process_input='\n'.join(all_lines), - root_helper=self.root_helper) + run_as_root=True) except RuntimeError as r_error: with excutils.save_and_reraise_exception(): try: @@ -693,8 +691,7 @@ class IptablesManager(object): args.append('-Z') if self.namespace: args = ['ip', 'netns', 'exec', self.namespace] + args - current_table = (self.execute(args, - root_helper=self.root_helper)) + current_table = self.execute(args, run_as_root=True) current_lines = current_table.split('\n') for line in current_lines[2:]: diff --git a/neutron/services/metering/drivers/iptables/iptables_driver.py b/neutron/services/metering/drivers/iptables/iptables_driver.py index afacc46ab..395cf818b 100644 --- a/neutron/services/metering/drivers/iptables/iptables_driver.py +++ b/neutron/services/metering/drivers/iptables/iptables_driver.py @@ -73,7 +73,6 @@ class RouterWithMetering(object): self.root_helper = config.get_root_helper(self.conf) self.ns_name = NS_PREFIX + self.id if conf.use_namespaces else None self.iptables_manager = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=self.ns_name, binary_name=WRAP_NAME, use_ipv6=ipv6_utils.is_enabled()) diff --git a/neutron/tests/functional/agent/linux/test_ipset.py b/neutron/tests/functional/agent/linux/test_ipset.py index c447e0018..13340afeb 100644 --- a/neutron/tests/functional/agent/linux/test_ipset.py +++ b/neutron/tests/functional/agent/linux/test_ipset.py @@ -33,7 +33,6 @@ class IpsetBase(base.BaseIPVethTestCase): IPSET_SET) self.dst_iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules(self.dst_iptables) diff --git a/neutron/tests/functional/agent/linux/test_iptables.py b/neutron/tests/functional/agent/linux/test_iptables.py index 8634fddc2..bbdbe8815 100644 --- a/neutron/tests/functional/agent/linux/test_iptables.py +++ b/neutron/tests/functional/agent/linux/test_iptables.py @@ -35,10 +35,8 @@ class IptablesManagerTestCase(base.BaseIPVethTestCase): def create_firewalls(self): client_iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=self.client_ns.namespace) server_iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, namespace=self.server_ns.namespace) return client_iptables, server_iptables diff --git a/neutron/tests/unit/services/metering/drivers/test_iptables_driver.py b/neutron/tests/unit/services/metering/drivers/test_iptables_driver.py index 5a6202fd4..e9bef2313 100644 --- a/neutron/tests/unit/services/metering/drivers/test_iptables_driver.py +++ b/neutron/tests/unit/services/metering/drivers/test_iptables_driver.py @@ -81,14 +81,6 @@ class IptablesDriverTestCase(base.BaseTestCase): self.metering = iptables_driver.IptablesMeteringDriver('metering', cfg.CONF) - def test_root_helper(self): - self.metering.add_metering_label(None, TEST_ROUTERS) - - self.iptables_cls.assert_called_with(root_helper='fake_sudo', - namespace=mock.ANY, - binary_name=mock.ANY, - use_ipv6=mock.ANY) - def test_add_metering_label(self): routers = TEST_ROUTERS[:1] diff --git a/neutron/tests/unit/test_iptables_manager.py b/neutron/tests/unit/test_iptables_manager.py index 727c1ebcd..e5af48eaf 100644 --- a/neutron/tests/unit/test_iptables_manager.py +++ b/neutron/tests/unit/test_iptables_manager.py @@ -132,9 +132,7 @@ class IptablesCommentsTestCase(base.BaseTestCase): super(IptablesCommentsTestCase, self).setUp() cfg.CONF.register_opts(a_cfg.IPTABLES_OPTS, 'AGENT') cfg.CONF.set_override('comment_iptables_rules', True, 'AGENT') - self.root_helper = 'sudo' - self.iptables = (iptables_manager. - IptablesManager(root_helper=self.root_helper)) + self.iptables = iptables_manager.IptablesManager() self.execute = mock.patch.object(self.iptables, "execute").start() def test_comments_short_enough(self): @@ -157,20 +155,20 @@ class IptablesCommentsTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + COMMENTED_NAT_DUMP + mangle_dump + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + COMMENTED_NAT_DUMP + mangle_dump + FILTER_DUMP), - root_helper=self.root_helper + run_as_root=True ), None), ] @@ -233,8 +231,7 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): cfg.CONF.register_opts(a_cfg.IPTABLES_OPTS, 'AGENT') cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.root_helper = 'sudo' - self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper) + self.iptables = iptables_manager.IptablesManager() self.execute = mock.patch.object(self.iptables, "execute").start() def test_binary_name(self): @@ -254,27 +251,26 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _extend_with_ip6tables_filter(self, expected_calls, filter_dump): expected_calls.insert(2, ( mock.call(['ip6tables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), '')) expected_calls.insert(3, ( mock.call(['ip6tables-restore', '-c'], process_input=filter_dump, - root_helper=self.root_helper), + run_as_root=True), None)) expected_calls.extend([ (mock.call(['ip6tables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['ip6tables-restore', '-c'], process_input=filter_dump, - root_helper=self.root_helper), + run_as_root=True), None)]) def _test_add_and_remove_chain_custom_binary_name_helper(self, use_ipv6): bn = ("abcdef" * 5) self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, binary_name=bn, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -294,20 +290,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -334,7 +330,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): bn = ("abcdef" * 5)[:16] self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, binary_name=bn, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -355,20 +350,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -395,7 +390,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_add_and_remove_chain_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -403,20 +397,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -441,7 +435,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_add_filter_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -455,20 +448,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper + run_as_root=True ), None), ] @@ -504,7 +497,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_rule_with_wrap_target_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -537,20 +529,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + filter_dump_mod), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -582,7 +574,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_add_mangle_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -607,20 +598,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + mangle_dump_mod + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -653,7 +644,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_add_nat_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -684,20 +674,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + nat_dump_mod + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + nat_dump + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -736,7 +726,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_add_raw_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() @@ -754,20 +743,20 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump_mod + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), (mock.call(['iptables-save', '-c'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), - root_helper=self.root_helper), + run_as_root=True), None), ] if use_ipv6: @@ -890,7 +879,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_get_traffic_counters_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() exp_packets = 800 @@ -899,26 +887,26 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x'], - root_helper=self.root_helper), + run_as_root=True), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x'], - root_helper=self.root_helper), + run_as_root=True), ''), ] if use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x'], - root_helper=self.root_helper), + run_as_root=True), TRAFFIC_COUNTERS_DUMP)) exp_packets *= 2 exp_bytes *= 2 @@ -940,7 +928,6 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): def _test_get_traffic_counters_with_zero_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( - root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() exp_packets = 800 @@ -949,26 +936,26 @@ class IptablesManagerStateFulTestCase(base.BaseTestCase): expected_calls_and_values = [ (mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z'], - root_helper=self.root_helper), + run_as_root=True), TRAFFIC_COUNTERS_DUMP), (mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z'], - root_helper=self.root_helper), + run_as_root=True), ''), (mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z'], - root_helper=self.root_helper), + run_as_root=True), '') ] if use_ipv6: expected_calls_and_values.append( (mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z'], - root_helper=self.root_helper), + run_as_root=True), TRAFFIC_COUNTERS_DUMP)) exp_packets *= 2 exp_bytes *= 2 diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py index c1ffc4073..a647e221c 100644 --- a/neutron/tests/unit/test_security_groups_rpc.py +++ b/neutron/tests/unit/test_security_groups_rpc.py @@ -2633,22 +2633,22 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): def _replay_iptables(self, v4_filter, v6_filter): self._register_mock_call( ['iptables-save', '-c'], - root_helper=self.root_helper, + run_as_root=True, return_value='') self._register_mock_call( ['iptables-restore', '-c'], process_input=self._regex(IPTABLES_RAW + IPTABLES_NAT + IPTABLES_MANGLE + v4_filter), - root_helper=self.root_helper, + run_as_root=True, return_value='') self._register_mock_call( ['ip6tables-save', '-c'], - root_helper=self.root_helper, + run_as_root=True, return_value='') self._register_mock_call( ['ip6tables-restore', '-c'], process_input=self._regex(v6_filter), - root_helper=self.root_helper, + run_as_root=True, return_value='') def test_prepare_remove_port(self):