File 0001-Copy-remove-the-strongswan.d-config-as-root.patch of Package openstack-neutron-vpnaas

From a70f1a5fa7efb3a9bab3dd715cb65aca2657b612 Mon Sep 17 00:00:00 2001
From: Thomas Bechtold <tbechtold@suse.com>
Date: Mon, 30 May 2016 11:52:43 +0200
Subject: [PATCH] Copy/remove the strongswan.d config as root

The strongswan.d config dir (usually /etc/strongswan.d) is usually owned
by root but the neutron-vpn-agent may run as non-root so the files need
to be copied as root to not get a "permission denied" error.

Change-Id: I40785f8c89b304efdf0f95469ec5a2d57b0cad60
Closes-Bug: #1586986
---
 etc/neutron/rootwrap.d/vpnaas.filters                          | 2 ++
 neutron_vpnaas/services/vpn/device_drivers/ipsec.py            | 3 ++-
 neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py | 9 ++++++---
 3 files changed, 10 insertions(+), 4 deletions(-)

Index: neutron-vpnaas-7.0.5.dev3/etc/neutron/rootwrap.d/vpnaas.filters
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/etc/neutron/rootwrap.d/vpnaas.filters
+++ neutron-vpnaas-7.0.5.dev3/etc/neutron/rootwrap.d/vpnaas.filters
@@ -8,9 +8,11 @@
 
 [Filters]
 
+cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
Index: neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
+++ neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
@@ -187,7 +187,8 @@ class BaseSwanProcess(object):
 
     def remove_config(self):
         """Remove whole config file."""
-        shutil.rmtree(self.config_dir, ignore_errors=True)
+        utils.execute(
+            cmd=["rm", "-rf", self.config_dir], run_as_root=True)
 
     def _get_config_filename(self, kind):
         config_dir = self.etc_dir
Index: neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
===================================================================
--- neutron-vpnaas-7.0.5.dev3.orig/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
+++ neutron-vpnaas-7.0.5.dev3/neutron_vpnaas/services/vpn/device_drivers/strongswan_ipsec.py
@@ -104,9 +104,12 @@ class StrongSwanProcess(ipsec.BaseSwanPr
             extra_ok_codes=extra_ok_codes)
 
     def copy_and_overwrite(self, from_path, to_path):
+        # NOTE(toabctl): the agent may run as non-root user, so rm/copy as root
         if os.path.exists(to_path):
-            shutil.rmtree(to_path)
-        shutil.copytree(from_path, to_path)
+            utils.execute(
+                cmd=["rm", "-rf", to_path], run_as_root=True)
+        utils.execute(
+            cmd=["cp", "-a", from_path, to_path], run_as_root=True)
 
     def ensure_configs(self):
         """Generate config files which are needed for StrongSwan.