Merge "Move xend existence probes to privsep."

etc/nova/rootwrap.d/compute.filters

@@ -188,8 +188,5 @@ cp: CommandFilter, cp, root
 # nova/virt/xenapi/vm_utils.py:
 sync: CommandFilter, sync, root
 
-# nova/virt/libvirt/utils.py: 'xend', 'status'
-xend: CommandFilter, xend, root
-
 # nova/virt/libvirt/volume/vzstorage.py
 pstorage-mount: CommandFilter, pstorage-mount, root

nova/privsep/libvirt.py

@@ -210,3 +210,8 @@ def readpty(path):
         LOG.info(_('Ignored error while reading from instance console '
                    'pty: %s'), e)
         return ''
+
+
+@nova.privsep.sys_admin_pctxt.entrypoint
+def xend_probe():
+    processutils.execute('xend', 'status', check_exit_code=True)

nova/tests/unit/virt/libvirt/test_utils.py

@@ -403,26 +403,29 @@ def test_pick_disk_driver_name(self):
                                                              is_block_dev)
                 self.assertEqual(result, expected_result)
 
+    @mock.patch('nova.privsep.libvirt.xend_probe')
     @mock.patch('nova.utils.execute')
-    def test_pick_disk_driver_name_xen(self, mock_execute):
+    def test_pick_disk_driver_name_xen(self, mock_execute, mock_xend_probe):
 
-        def side_effect(*args, **kwargs):
+        def execute_side_effect(*args, **kwargs):
             if args == ('tap-ctl', 'check'):
                 if mock_execute.blktap is True:
                     return ('ok\n', '')
                 elif mock_execute.blktap is False:
                     return ('some error\n', '')
                 else:
                     raise OSError(2, "No such file or directory")
-            elif args == ('xend', 'status'):
-                if mock_execute.xend is True:
-                    return ('', '')
-                elif mock_execute.xend is False:
-                    raise processutils.ProcessExecutionError("error")
-                else:
-                    raise OSError(2, "No such file or directory")
             raise Exception('Unexpected call')
-        mock_execute.side_effect = side_effect
+        mock_execute.side_effect = execute_side_effect
+
+        def xend_probe_side_effect():
+            if mock_execute.xend is True:
+                return ('', '')
+            elif mock_execute.xend is False:
+                raise processutils.ProcessExecutionError("error")
+            else:
+                raise OSError(2, "No such file or directory")
+        mock_xend_probe.side_effect = xend_probe_side_effect
 
         self.flags(virt_type="xen", group='libvirt')
         versions = [4000000, 4001000, 4002000, 4003000, 4005000]

nova/virt/libvirt/utils.py

@@ -129,8 +129,7 @@ def pick_disk_driver_name(hypervisor_version, is_block_dev=False):
             # 4002000 == 4.2.0
             if hypervisor_version >= 4002000:
                 try:
-                    utils.execute('xend', 'status',
-                                  run_as_root=True, check_exit_code=True)
+                    nova.privsep.libvirt.xend_probe()
                 except OSError as exc:
                     if exc.errno == errno.ENOENT:
                         LOG.debug("xend is not found")

releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml

@@ -8,4 +8,5 @@ upgrade:
   - |
     The following commands are no longer required to be listed in your rootwrap
     configuration: cat; chown; cryptsetup; dd; lvcreate; lvremove; lvs; mkdir;
-    mount; ploop; prl_disk_tool; readlink; shred; tee; touch; umount; and vgs.
+    mount; ploop; prl_disk_tool; readlink; shred; tee; touch; umount; vgs;
+    and xend.