[ovs-dev] [Debian-non-root v4 RFC 2/2] Debian: start daemons as ovs(non-root) user

Andy Zhou azhou at ovn.org
Wed Nov 25 19:15:26 UTC 2015 

Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.

Signed-off-by: Andy Zhou <azhou at nicira.com>

----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
 NEWS                                       |  3 +-
 debian/automake.mk                         |  1 +
 debian/control                             |  1 +
 debian/openvswitch-common.postinst         | 52 ++++++++++++++++++++++++++++++
 debian/openvswitch-pki.postinst            |  5 +++
 debian/openvswitch-switch.init             |  4 +++
 debian/openvswitch-switch.logrotate        |  2 +-
 debian/openvswitch-switch.postinst         |  7 ++++
 debian/openvswitch-testcontroller.init     |  8 +++--
 debian/openvswitch-testcontroller.postinst |  5 +++
 debian/openvswitch-vtep.init               | 11 ++++++-
 11 files changed, 93 insertions(+), 6 deletions(-)
 create mode 100755 debian/openvswitch-common.postinst

diff --git a/NEWS b/NEWS
index cf99844..831e145 100644
--- a/NEWS
+++ b/NEWS
@@ -28,7 +28,8 @@ Post-v2.4.0
    - Add support for connection tracking through the new "ct" action
      and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields.  Only
      available on Linux kernels with the connection tracking module loaded.
-
+   - Changed Debain and Redhat packaging to start OVS daemons as the 'ovs'
+     user and group.
 
 v2.4.0 - 20 Aug 2015
 ---------------------
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@ EXTRA_DIST += \
 	debian/dkms.conf.in \
 	debian/dirs \
 	debian/openvswitch-common.dirs \
+	debian/openvswitch-common.postinst \
 	debian/openvswitch-common.docs \
 	debian/openvswitch-common.install \
 	debian/openvswitch-common.manpages \
diff --git a/debian/control b/debian/control
index 3eac644..7c07cb2 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: linux-any
 Depends: openssl,
          python,
          python (>= 2.7) | python-argparse,
+         adduser,
          ${misc:Depends},
          ${shlibs:Depends}
 Suggests: ethtool
diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..0bc946a
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,52 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        LOGDIR=/var/log/openvswitch
+        HOMEDIR=/var/run/openvswitch
+        # Create the ovs user and group.
+        if ! getent passwd ovs > /dev/null; then
+            echo 'Adding system-user for ovs' 1>&2
+            adduser --system --group --no-create-home --disabled-login \
+                     --quiet --home $HOMEDIR $OVS_USER
+            adduser $OVS_USER adm || true
+        fi
+
+        # Fix ownership and permissions.
+        chown "$OVS_USER":"$OVS_GROUP" $LOGDIR
+        chown "$OVS_USER":"$OVS_GROUP" $HOMEDIR
+        chmod 0775 $HOMEDIR
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..6983f75 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@ case "$1" in
         if test ! -e /var/lib/openvswitch/pki; then
             ovs-pki init
         fi
+
+        chown "$OVS_USER":"$OVS_GROUP" /var/lib/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..7b7ef46 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -25,6 +25,9 @@
 #                    the Open vSwitch kernel-based switch.
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 (test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0
 
 . /usr/share/openvswitch/scripts/ovs-lib
@@ -64,6 +67,7 @@ start () {
     if test X"$FORCE_COREFILES" != X; then
 	set "$@" --force-corefiles="$FORCE_COREFILES"
     fi
+    set "$@" --user=$OVS_USER:$OVS_GROUP
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
     if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
index a7a71bd..e93c568 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@
 /var/log/openvswitch/*.log {
     daily
     compress
-    create 640 root adm
+    create 640 ovs adm
     delaycompress
     missingok
     rotate 30
diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
index 2464572..80acc42 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,10 @@ case "$1" in
                 fi
             done
 	fi
+
+	# fix owner and permissions for /etc/openvswitch.
+	chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
+	chmod 0775 /etc/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
index 67b7a99..38efd3c 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -37,12 +37,15 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here
 NAME=ovs-testcontroller         # Introduce the short server's name here
 DESC=ovs-testcontroller         # Introduce a short description here
 LOGDIR=/var/log/openvswitch	# Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
 
 PIDFILE=/var/run/openvswitch/$NAME.pid
 
 test -x $DAEMON || exit 0
 
 . /lib/lsb/init-functions
+. /usr/share/openvswitch/scripts/ovs-lib
 
 # Default options, these can be overriden by the information
 # at /etc/default/openvswitch-testcontroller
@@ -108,9 +111,7 @@ start_server() {
         exit 0
     fi
 
-    if [ ! -d /var/run/openvswitch ]; then
-        install -d -m 755 -o root -g root /var/run/openvswitch
-    fi
+    directory_check /var/run/openvswitch
 
     SSL_OPTS=
     case $LISTEN in
@@ -139,6 +140,7 @@ start_server() {
         if [ -z "$DAEMONUSER" ] ; then
             start-stop-daemon --start --pidfile $PIDFILE \
                         --exec $DAEMON -- --detach --pidfile=$PIDFILE \
+                        --user $OVS_USER:$OVS_GROUP \
                         $LISTEN $DAEMON_OPTS $SSL_OPTS
             errcode=$?
         else
diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
index 7242b4a..66112e3 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -5,6 +5,9 @@
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@ case "$1" in
             chmod go+r cert.pem req.pem
             umask $oldumask
         fi
+
+        chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch-testcontroller
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..4f5872b 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,10 @@
 # Description:       Initializes the Open vSwitch VTEP emulator
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+. /usr/share/openvswitch/scripts/ovs-lib
 
 # Include defaults if available
 default=/etc/default/openvswitch-vtep
@@ -40,17 +44,22 @@ start () {
         cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
     fi
 
+    chmod -R 0775 /var/run/openvswitch
+    directory_check /etc/openvswitch
+    directory_check /var/run/openvswitch
+
     ovsdb-server --pidfile --detach --log-file --remote \
         punix:/var/run/openvswitch/db.sock \
         --remote=db:hardware_vtep,Global,managers \
         --private-key=/etc/openvswitch/ovsclient-privkey.pem \
         --certificate=/etc/openvswitch/ovsclient-cert.pem \
         --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+        --user $OVS_USER:$OVS_GROUP \
         /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
 
     modprobe openvswitch
 
-    ovs-vswitchd --pidfile --detach --log-file \
+    ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
         unix:/var/run/openvswitch/db.sock
 }
 
-- 
1.9.1

More information about the dev mailing list