Use exec_dirs for rootwrap commands

Avoid depending on platform specific paths for rootwrap
by using exec_dirs in rootwrap. Fixes rootwrap configuration
for SUSE.

Fixes bug #1156044

Change-Id: I54d082c543fd84b40db0caa3571300ac0bb07b57

etc/quantum/rootwrap.d/debug.filters

@@ -10,5 +10,5 @@
 
 # This is needed because we should ping
 # from inside a namespace which requires root
-ping: RegExpFilter, /bin/ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
-ping6: RegExpFilter, /bin/ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+

etc/quantum/rootwrap.d/dhcp.filters

@@ -9,7 +9,7 @@
 [Filters]
 
 # dhcp-agent
-ip_exec_dnsmasq: DnsmasqNetnsFilter, /sbin/ip, root
+ip_exec_dnsmasq: DnsmasqNetnsFilter, ip, root
 dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
 dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root
 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
@@ -19,14 +19,11 @@ kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP
 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
 
 # dhcp-agent uses cat
-cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
+cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
 
 # metadata proxy
-metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root
+metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
@@ -36,7 +33,5 @@ kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
 kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
 
 # ip_lib
-ip: IpFilter, /sbin/ip, root
+ip: IpFilter, ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
+ip_exec: IpNetnsExecFilter, ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root

etc/quantum/rootwrap.d/iptables-firewall.filters

@@ -10,12 +10,12 @@
 
 # quantum/agent/linux/iptables_manager.py
 #   "iptables-save", ...
-iptables-save: CommandFilter, /sbin/iptables-save, root
+iptables-save: CommandFilter, iptables-save, root
-iptables-restore: CommandFilter, /sbin/iptables-restore, root
+iptables-restore: CommandFilter, iptables-restore, root
-ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
-ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
 
 # quantum/agent/linux/iptables_manager.py
 #   "iptables", "-A", ...
-iptables: CommandFilter, /sbin/iptables, root
+iptables: CommandFilter, iptables, root
-ip6tables: CommandFilter, /sbin/ip6tables, root
+ip6tables: CommandFilter, ip6tables, root

etc/quantum/rootwrap.d/l3.filters

@@ -9,15 +9,14 @@
 [Filters]
 
 # arping
-arping: CommandFilter, /usr/bin/arping, root
+arping: CommandFilter, arping, root
-arping_sbin: CommandFilter, /sbin/arping, root
 
 # l3_agent
-sysctl: CommandFilter, /sbin/sysctl, root
+sysctl: CommandFilter, sysctl, root
-route: CommandFilter, /sbin/route, root
+route: CommandFilter, route, root
 
 # metadata proxy
-metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root
+metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root
 # If installed from source (say, by devstack), the prefix will be
 # /usr/local instead of /usr/bin.
 metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
@@ -27,19 +26,14 @@ kill_metadata7: KillFilter, root, /usr/bin/python2.7, -9
 kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
 
 # ip_lib
-ip: IpFilter, /sbin/ip, root
+ip: IpFilter, ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
+ip_exec: IpNetnsExecFilter, ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
 
 # ovs_lib (if OVSInterfaceDriver is used)
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
 
 # iptables_manager
-iptables-save: CommandFilter, /sbin/iptables-save, root
+iptables-save: CommandFilter, iptables-save, root
-iptables-restore: CommandFilter, /sbin/iptables-restore, root
+iptables-restore: CommandFilter, iptables-restore, root
-ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
+ip6tables-save: CommandFilter, ip6tables-save, root
-ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root

etc/quantum/rootwrap.d/lbaas-haproxy.filters

@@ -9,21 +9,16 @@
 [Filters]
 
 # haproxy
-haproxy: CommandFilter, /usr/sbin/haproxy, root
+haproxy: CommandFilter, haproxy, root
 
 # lbaas-agent uses kill as well, that's handled by the generic KillFilter
 kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP
 
 # lbaas-agent uses cat
-cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
+cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline
 
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
 
 # ip_lib
-ip: IpFilter, /sbin/ip, root
+ip: IpFilter, ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
+ip_exec: IpNetnsExecFilter, ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root

etc/quantum/rootwrap.d/linuxbridge-plugin.filters

@@ -11,11 +11,8 @@
 # linuxbridge-agent
 # unclear whether both variants are necessary, but I'm transliterating
 # from the old mechanism
-brctl: CommandFilter, /sbin/brctl, root
+brctl: CommandFilter, brctl, root
-brctl_usr: CommandFilter, /usr/sbin/brctl, root
 
 # ip_lib
-ip: IpFilter, /sbin/ip, root
+ip: IpFilter, ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
+ip_exec: IpNetnsExecFilter, ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root

etc/quantum/rootwrap.d/nec-plugin.filters

@@ -9,7 +9,4 @@
 [Filters]
 
 # nec_quantum_agent
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root

etc/quantum/rootwrap.d/openvswitch-plugin.filters

@@ -11,19 +11,10 @@
 # openvswitch-agent
 # unclear whether both variants are necessary, but I'm transliterating
 # from the old mechanism
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
+ovs-ofctl: CommandFilter, ovs-ofctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
+xe: CommandFilter, xe, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
-ovs-ofctl: CommandFilter, /bin/ovs-ofctl, root
-ovs-ofctl_usr: CommandFilter, /usr/bin/ovs-ofctl, root
-ovs-ofctl_sbin: CommandFilter, /sbin/ovs-ofctl, root
-ovs-ofctl_sbin_usr: CommandFilter, /usr/sbin/ovs-ofctl, root
-xe: CommandFilter, /sbin/xe, root
-xe_usr: CommandFilter, /usr/sbin/xe, root
 
 # ip_lib
-ip: IpFilter, /sbin/ip, root
+ip: IpFilter, ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
+ip_exec: IpNetnsExecFilter, ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root

etc/quantum/rootwrap.d/ryu-plugin.filters

@@ -14,12 +14,8 @@
 
 # quantum/plugins/ryu/agent/ryu_quantum_agent.py:
 #   "ovs-vsctl", "--timeout=2", ...
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
 
 # quantum/plugins/ryu/agent/ryu_quantum_agent.py:
 #   "xe", "vif-param-get", ...
-xe: CommandFilter, /bin/xe, root
+xe: CommandFilter, xe, root
-xe_usr: CommandFilter, /usr/bin/xe, root

etc/rootwrap.conf

@@ -3,6 +3,12 @@
 # These directories MUST all be only writeable by root !
 filters_path=/etc/quantum/rootwrap.d,/usr/share/quantum/rootwrap
 
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
 [XENAPI]
 # XenAPI configuration is only required by the L2 agent if it is to
 # target a XenServer/XCP compute host's dom0.