From d45be94fdfa6b9836d28b4a8c4fce2b417d30fae Mon Sep 17 00:00:00 2001
From: Michael Still <mikal@stillhq.com>
Date: Tue, 26 Feb 2019 04:33:28 +0000
Subject: [PATCH] Move setting of device trust to privsep.

A relatively trivial change this time.

Change-Id: I7f9751e93cc8a535596a534496b09dfb6ad219e0
---
 nova/network/linux_net.py                 | 16 +++++-----------
 nova/privsep/linux_net.py                 | 21 +++++++++++++++++++++
 nova/tests/unit/network/test_linux_net.py | 18 ++++++++++++------
 3 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index ecc381c626..d4c664d415 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -1603,12 +1603,9 @@ class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver):
             if not gateway:
                 # If we weren't instructed to act as a gateway then add the
                 # appropriate flows to block all non-dhcp traffic.
-                _execute('ovs-ofctl',
-                         'add-flow', bridge, 'priority=1,actions=drop',
-                         run_as_root=True)
-                _execute('ovs-ofctl', 'add-flow', bridge,
-                         'udp,tp_dst=67,dl_dst=%s,priority=2,actions=normal' %
-                         mac_address, run_as_root=True)
+                nova.privsep.linux_net.ovs_drop_nondhcp(
+                    bridge, mac_address)
+
                 # .. and make sure iptbles won't forward it as well.
                 iptables_manager.ipv4['filter'].add_rule('FORWARD',
                     '--in-interface %s -j %s' % (bridge,
@@ -1653,8 +1650,5 @@ def set_vf_trusted(pci_addr, trusted):
     pf_ifname = pci_utils.get_ifname_by_pci_address(pci_addr,
                                                     pf_interface=True)
     vf_num = pci_utils.get_vf_num_by_pci_address(pci_addr)
-    utils.execute('ip', 'link', 'set', pf_ifname,
-                  'vf', vf_num,
-                  'trust', bool(trusted) and 'on' or 'off',
-                  run_as_root=True,
-                  check_exit_code=[0, 2, 254])
+    nova.privsep.linux_net.set_device_trust(
+        pf_ifname, vf_num, trusted)
diff --git a/nova/privsep/linux_net.py b/nova/privsep/linux_net.py
index c0a6b33d27..a6712d2c83 100644
--- a/nova/privsep/linux_net.py
+++ b/nova/privsep/linux_net.py
@@ -88,6 +88,18 @@ def _set_device_enabled_inner(dev):
                          check_exit_code=[0, 2, 254])
 
 
+@nova.privsep.sys_admin_pctxt.entrypoint
+def set_device_trust(dev, vf_num, trusted):
+    _set_device_trust_inner(dev, vf_num, trusted)
+
+
+def _set_device_trust_inner(dev, vf_num, trusted):
+    processutils.execute('ip', 'link', 'set', dev,
+                         'vf', vf_num,
+                         'trust', bool(trusted) and 'on' or 'off',
+                         check_exit_code=[0, 2, 254])
+
+
 @nova.privsep.sys_admin_pctxt.entrypoint
 def set_device_disabled(dev):
     processutils.execute('ip', 'link', 'set', dev, 'down')
@@ -363,6 +375,15 @@ def ovs_plug(timeout, bridge, dev, mac_address):
                          'external-ids:attached-mac=%s' % mac_address)
 
 
+@nova.privsep.sys_admin_pctxt.entrypoint
+def ovs_drop_nondhcp(bridge, mac_address):
+    processutils.execute(
+        'ovs-ofctl', 'add-flow', bridge, 'priority=1,actions=drop')
+    processutils.execute(
+        'ovs-ofctl', 'add-flow', bridge,
+        'udp,tp_dst=67,dl_dst=%s,priority=2,actions=normal' % mac_address)
+
+
 @nova.privsep.sys_admin_pctxt.entrypoint
 def ovs_unplug(timeout, bridge, dev):
     processutils.execute('ovs-vsctl', '--timeout=%s' % timeout,
diff --git a/nova/tests/unit/network/test_linux_net.py b/nova/tests/unit/network/test_linux_net.py
index 0170d740ce..e41fee0f97 100644
--- a/nova/tests/unit/network/test_linux_net.py
+++ b/nova/tests/unit/network/test_linux_net.py
@@ -1401,22 +1401,28 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
 
     @mock.patch('nova.pci.utils.get_vf_num_by_pci_address')
     @mock.patch('nova.pci.utils.get_ifname_by_pci_address')
-    @mock.patch('nova.utils.execute')
-    def test_set_vf_trusted_on(self, mexecute, mget_ifname, mget_vfnum):
+    @mock.patch('nova.privsep.linux_net.set_device_trust',
+                side_effect=nova.privsep.linux_net._set_device_trust_inner)
+    @mock.patch('oslo_concurrency.processutils.execute')
+    def test_set_vf_trusted_on(self, mexecute, mtrust, mget_ifname,
+                               mget_vfnum):
         mget_ifname.return_value = 'eth0'
         mget_vfnum.return_value = 2
         linux_net.set_vf_trusted('PCI_ADDR', True)
         mexecute.assert_called_once_with(
             'ip', 'link', 'set', 'eth0', 'vf', 2, 'trust', 'on',
-            check_exit_code=[0, 2, 254], run_as_root=True)
+            check_exit_code=[0, 2, 254])
 
     @mock.patch('nova.pci.utils.get_vf_num_by_pci_address')
     @mock.patch('nova.pci.utils.get_ifname_by_pci_address')
-    @mock.patch('nova.utils.execute')
-    def test_set_vf_trusted_off(self, mexecute, mget_ifname, mget_vfnum):
+    @mock.patch('nova.privsep.linux_net.set_device_trust',
+                side_effect=nova.privsep.linux_net._set_device_trust_inner)
+    @mock.patch('oslo_concurrency.processutils.execute')
+    def test_set_vf_trusted_off(self, mexecute, mtrust, mget_ifname,
+                                mget_vfnum):
         mget_ifname.return_value = 'eth0'
         mget_vfnum.return_value = 2
         linux_net.set_vf_trusted('PCI_ADDR', False)
         mexecute.assert_called_once_with(
             'ip', 'link', 'set', 'eth0', 'vf', 2, 'trust', 'off',
-            check_exit_code=[0, 2, 254], run_as_root=True)
+            check_exit_code=[0, 2, 254])