[ovs-dev] [rhel --user v2 7/7] rhel: run daemons as the ovs user

Andy Zhou azhou at ovn.org
Fri Nov 20 11:33:20 UTC 2015 

Make RHEL systemd distributions start OVS and OVN daemons under user
ovs. The 'ovs' user and group will be created at the openvswitch RPM
installtion time.

Signed-off-by: Andy Zhou <azhou at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>
---
 rhel/openvswitch-fedora.spec.in                        | 18 ++++++++----------
 ...sr_lib_systemd_system_openvswitch-nonetwork.service |  4 ++--
 .../usr_lib_systemd_system_ovn-controller-vtep.service |  2 +-
 rhel/usr_lib_systemd_system_ovn-controller.service     |  2 +-
 rhel/usr_lib_systemd_system_ovn-northd.service         |  2 +-
 5 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index be22e87..b91f1b3 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -13,10 +13,6 @@
 
 #%define kernel 2.6.40.4-5.fc15.x86_64
 
-# If libcap-ng isn't available and there is no need for running OVS
-# as regular user, specify the '--without libcapng'
-%bcond_without libcapng
-
 # Enable PIE, bz#955181
 %global _hardened_build 1
 
@@ -46,9 +42,7 @@ BuildRequires: desktop-file-utils
 BuildRequires: groff graphviz
 # make check dependencies
 BuildRequires: procps-ng
-%if %{with libcapng}
 BuildRequires: libcap-ng libcap-ng-devel
-%endif
 
 Requires: openssl iproute module-init-tools
 #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3
@@ -112,11 +106,7 @@ overlays and security groups.
 
 %build
 %configure \
-%if %{with libcapng}
         --enable-libcapng \
-%else
-        --disable-libcapng \
-%endif
         --enable-ssl \
         --with-pkidir=%{_sharedstatedir}/openvswitch/pki
 
@@ -162,6 +152,11 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
 touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
 
+%pre
+# Add the "ovs" user and group
+/usr/sbin/useradd -c "Openvswitch Daemons" -s /sbin/nologin -r \
+                  -d %{_rundir}/openvswitch ovs 2> /dev/null || :
+
 %check
 %if %{with check}
     if make check TESTSUITEFLAGS='%{_smp_mflags}' ||
@@ -204,6 +199,8 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %post
+chown -R ovs:ovs /etc/openvswitch  #OVS DB files
+chown -R ovs:ovs %{_rundir}/openvswitch
 %if 0%{?systemd_post:1}
     %systemd_post %{name}.service
 %else
@@ -214,6 +211,7 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %post ovn
+chown -R ovs:ovs /var/lib/openvswitch  #OVN DB files
 %if 0%{?systemd_post:1}
     %systemd_post ovn-controller.service
     %systemd_post ovn-controller-vtep.service
diff --git a/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service b/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
index e4c2a66..f32ba24 100644
--- a/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
+++ b/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
@@ -9,7 +9,7 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start \
-          --system-id=random $OPTIONS
+          --system-id=random --user=ovs:ovs $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop
 RuntimeDirectory=openvswitch
-RuntimeDirectoryMode=0755
+RuntimeDirectoryMode=0775
diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
index 867a906..994bd77 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
@@ -27,4 +27,4 @@ Environment=VTEP_DB=unix:%t/openvswitch/db.sock
 ExecStart=/usr/bin/ovn-controller-vtep -vconsole:emer -vsyslog:err -vfile:info \
           --log-file=/var/log/openvswitch/ovn-controller-vtep.log \
           --no-chdir --pidfile=${OVS_RUNDIR}/ovn-controller-vtep.pid \
-          --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB}
+          --user ovs:ovs --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB}
diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service
index 6b53ced..b01a804 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller.service
@@ -18,5 +18,5 @@ Type=simple
 Environment=OVS_RUNDIR=%t/openvswitch
 Environment=OVS_DB=unix:%t/openvswitch/db.sock
 ExecStart=/usr/bin/ovn-controller -vconsole:emer -vsyslog:err -vfile:info \
-          --log-file=/var/log/openvswitch/ovn-controller.log \
+          --log-file=/var/log/openvswitch/ovn-controller.log --user ovs:ovs \
           --no-chdir --pidfile=${OVS_RUNDIR}/ovn-controller.pid ${OVS_DB}
diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service
index 5b3b03a..1abb8b3 100644
--- a/rhel/usr_lib_systemd_system_ovn-northd.service
+++ b/rhel/usr_lib_systemd_system_ovn-northd.service
@@ -8,5 +8,5 @@ After=openvswitch.service
 Type=oneshot
 RemainAfterExit=yes
 Environment=OVS_RUNDIR=%t/openvswitch OVS_DBDIR=/var/lib/openvswitch
-ExecStart=/usr/share/openvswitch/scripts/ovn-ctl start_northd
+ExecStart=/usr/share/openvswitch/scripts/ovn-ctl --user=ovs:ovs start_northd
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_northd
-- 
1.8.3.1

More information about the dev mailing list