File 0001-Copy-remove-the-strongswan.d-config-as-root.patch of Package openstack-neutron-vpnaas
From a70f1a5fa7efb3a9bab3dd715cb65aca2657b612 Mon Sep 17 00:00:00 2001
From: Thomas Bechtold <tbechtold@suse.com>
Date: Mon, 30 May 2016 11:52:43 +0200
Subject: [PATCH] Copy/remove the strongswan.d config as root
The strongswan.d config dir (usually /etc/strongswan.d) is usually owned
by root but the neutron-vpn-agent may run as non-root so the files need
to be copied as root to not get a "permission denied" error.
Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60
Closes-Bug: #1586986
---
etc/neutron/rootwrap.d/vpnaas.filters | 2 ++
neutron_vpnaas/services/vpn/device_drivers/ipsec.py | 3 ++-
neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py | 9 ++++++---
3 files changed, 10 insertions(+), 4 deletions(-)
Index: neutron-vpnaas-7.0.5.dev3/etc/neutron/rootwrap.d/vpnaas.filters
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/etc/neutron/rootwrap.d/vpnaas.filters
+++ neutron-vpnaas-7.0.5.dev3/etc/neutron/rootwrap.d/vpnaas.filters
@@ -8,9 +8,11 @@
[Filters]
+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
strongswan: CommandFilter, strongswan, root
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
Index: neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
+++ neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
@@ -187,7 +187,8 @@ class BaseSwanProcess(object):
def remove_config(self):
"""Remove whole config file."""
- shutil.rmtree(self.config_dir, ignore_errors=True)
+ utils.execute(
+ cmd=["rm", "-rf", self.config_dir], run_as_root=True)
def _get_config_filename(self, kind):
config_dir = self.etc_dir
Index: neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -104,9 +104,12 @@ class StrongSwanProcess(ipsec.BaseSwanPr
extra_ok_codes=extra_ok_codes)
def copy_and_overwrite(self, from_path, to_path):
+ # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root
if os.path.exists(to_path):
- shutil.rmtree(to_path)
- shutil.copytree(from_path, to_path)
+ utils.execute(
+ cmd=["rm", "-rf", to_path], run_as_root=True)
+ utils.execute(
+ cmd=["cp", "-a", from_path, to_path], run_as_root=True)
def ensure_configs(self):
"""Generate config files which are needed for StrongSwan.