Add missing filters for new root commands

Add missing rootwrap filters for 'ovs-ofctl', 'cp' and 'mkfs'.
Do not run 'rm' as root since it's unnecessary.
Add documentation to try to prevent future misses.
Fixes bug 943293.

Change-Id: Ia680048a28a75f661a136d8447ff0aaf195649ba

4 files changed, 16 insertions, 2 deletions

diff --git a/nova/rootwrap/compute.py b/nova/rootwrap/compute.py
index 65e6dfebbd..445e797d4f 100755
--- a/nova/rootwrap/compute.py
+++ b/nova/rootwrap/compute.py
@@ -73,6 +73,9 @@ filterlist = [
     # nova/virt/disk/api.py: 'chmod', 755, netdir
     filters.CommandFilter("/bin/chmod", "root"),
 
+    # nova/virt/disk/api.py: 'cp', os.path.join(fs...
+    filters.CommandFilter("/bin/cp", "root"),
+
     # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
     # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
     # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
@@ -102,6 +105,9 @@ filterlist = [
     # nova/network/linux_net.py: 'ovs-vsctl', ....
     filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
 
+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
+
     # nova/virt/libvirt/connection.py: 'dd', "if=%s" % virsh_output, ...
     filters.CommandFilter("/bin/dd", "root"),
 
@@ -169,6 +175,9 @@ filterlist = [
     # nova/virt/xenapi/vm_utils.py: 'mkswap'
     filters.CommandFilter("/sbin/mkswap", "root"),
 
+    # nova/virt/xenapi/vm_utils.py: 'mkfs'
+    filters.CommandFilter("/sbin/mkfs", "root"),
+
     # nova/virt/libvirt/connection.py:
     filters.ReadFileFilter("/etc/iscsi/initiatorname.iscsi"),
     ]
diff --git a/nova/rootwrap/network.py b/nova/rootwrap/network.py
index f9fd9b9c33..62fec18e49 100755
--- a/nova/rootwrap/network.py
+++ b/nova/rootwrap/network.py
@@ -83,4 +83,7 @@ filterlist = [
 
     # nova/network/linux_net.py: 'ovs-vsctl', ....
     filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
+
+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
     ]
diff --git a/nova/utils.py b/nova/utils.py
index df008c0902..a224b38784 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -164,6 +164,8 @@ def fetchfile(url, target):
 def execute(*cmd, **kwargs):
     """
     Helper method to execute command with optional retry.
+    If you add a run_as_root=True command, don't forget to add the
+    corresponding filter to nova.rootwrap !
 
     :cmd                Passed to subprocess.Popen.
     :process_input      Send to opened process.
diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
index 42ad683a66..8fdc59b803 100644
--- a/nova/virt/disk/api.py
+++ b/nova/virt/disk/api.py
@@ -373,10 +373,10 @@ def _inject_admin_password_into_fs(admin_passwd, fs, execute=None):
     _set_passwd(admin_user, admin_passwd, tmp_passwd, tmp_shadow)
     utils.execute('cp', tmp_passwd, os.path.join(fs, 'etc', 'passwd'),
                   run_as_root=True)
-    utils.execute('rm', tmp_passwd, run_as_root=True)
+    os.unlink(tmp_passwd)
     utils.execute('cp', tmp_shadow, os.path.join(fs, 'etc', 'shadow'),
                   run_as_root=True)
-    utils.execute('rm', tmp_shadow, run_as_root=True)
+    os.unlink(tmp_shadow)
 
 
 def _set_passwd(username, admin_passwd, passwd_file, shadow_file):