[ovs-dev] [Debian-non-root v4 RFC 2/2] Debian: start daemons as ovs(non-root) user
Andy Zhou
azhou at ovn.org
Wed Nov 25 19:15:26 UTC 2015
Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.
Signed-off-by: Andy Zhou <azhou at nicira.com>
----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
NEWS | 3 +-
debian/automake.mk | 1 +
debian/control | 1 +
debian/openvswitch-common.postinst | 52 ++++++++++++++++++++++++++++++
debian/openvswitch-pki.postinst | 5 +++
debian/openvswitch-switch.init | 4 +++
debian/openvswitch-switch.logrotate | 2 +-
debian/openvswitch-switch.postinst | 7 ++++
debian/openvswitch-testcontroller.init | 8 +++--
debian/openvswitch-testcontroller.postinst | 5 +++
debian/openvswitch-vtep.init | 11 ++++++-
11 files changed, 93 insertions(+), 6 deletions(-)
create mode 100755 debian/openvswitch-common.postinst
diff --git a/NEWS b/NEWS
index cf99844..831e145 100644
--- a/NEWS
+++ b/NEWS
@@ -28,7 +28,8 @@ Post-v2.4.0
- Add support for connection tracking through the new "ct" action
and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields. Only
available on Linux kernels with the connection tracking module loaded.
-
+ - Changed Debain and Redhat packaging to start OVS daemons as the 'ovs'
+ user and group.
v2.4.0 - 20 Aug 2015
---------------------
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@ EXTRA_DIST += \
debian/dkms.conf.in \
debian/dirs \
debian/openvswitch-common.dirs \
+ debian/openvswitch-common.postinst \
debian/openvswitch-common.docs \
debian/openvswitch-common.install \
debian/openvswitch-common.manpages \
diff --git a/debian/control b/debian/control
index 3eac644..7c07cb2 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@ Architecture: linux-any
Depends: openssl,
python,
python (>= 2.7) | python-argparse,
+ adduser,
${misc:Depends},
${shlibs:Depends}
Suggests: ethtool
diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..0bc946a
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,52 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ configure)
+ LOGDIR=/var/log/openvswitch
+ HOMEDIR=/var/run/openvswitch
+ # Create the ovs user and group.
+ if ! getent passwd ovs > /dev/null; then
+ echo 'Adding system-user for ovs' 1>&2
+ adduser --system --group --no-create-home --disabled-login \
+ --quiet --home $HOMEDIR $OVS_USER
+ adduser $OVS_USER adm || true
+ fi
+
+ # Fix ownership and permissions.
+ chown "$OVS_USER":"$OVS_GROUP" $LOGDIR
+ chown "$OVS_USER":"$OVS_GROUP" $HOMEDIR
+ chmod 0775 $HOMEDIR
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..6983f75 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@ case "$1" in
if test ! -e /var/lib/openvswitch/pki; then
ovs-pki init
fi
+
+ chown "$OVS_USER":"$OVS_GROUP" /var/lib/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..7b7ef46 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -25,6 +25,9 @@
# the Open vSwitch kernel-based switch.
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
(test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0
. /usr/share/openvswitch/scripts/ovs-lib
@@ -64,6 +67,7 @@ start () {
if test X"$FORCE_COREFILES" != X; then
set "$@" --force-corefiles="$FORCE_COREFILES"
fi
+ set "$@" --user=$OVS_USER:$OVS_GROUP
set "$@" $OVS_CTL_OPTS
"$@" || exit $?
if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
index a7a71bd..e93c568 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@
/var/log/openvswitch/*.log {
daily
compress
- create 640 root adm
+ create 640 ovs adm
delaycompress
missingok
rotate 30
diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
index 2464572..80acc42 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,10 @@ case "$1" in
fi
done
fi
+
+ # fix owner and permissions for /etc/openvswitch.
+ chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
+ chmod 0775 /etc/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
index 67b7a99..38efd3c 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -37,12 +37,15 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here
NAME=ovs-testcontroller # Introduce the short server's name here
DESC=ovs-testcontroller # Introduce a short description here
LOGDIR=/var/log/openvswitch # Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
PIDFILE=/var/run/openvswitch/$NAME.pid
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
+. /usr/share/openvswitch/scripts/ovs-lib
# Default options, these can be overriden by the information
# at /etc/default/openvswitch-testcontroller
@@ -108,9 +111,7 @@ start_server() {
exit 0
fi
- if [ ! -d /var/run/openvswitch ]; then
- install -d -m 755 -o root -g root /var/run/openvswitch
- fi
+ directory_check /var/run/openvswitch
SSL_OPTS=
case $LISTEN in
@@ -139,6 +140,7 @@ start_server() {
if [ -z "$DAEMONUSER" ] ; then
start-stop-daemon --start --pidfile $PIDFILE \
--exec $DAEMON -- --detach --pidfile=$PIDFILE \
+ --user $OVS_USER:$OVS_GROUP \
$LISTEN $DAEMON_OPTS $SSL_OPTS
errcode=$?
else
diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
index 7242b4a..66112e3 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@ case "$1" in
chmod go+r cert.pem req.pem
umask $oldumask
fi
+
+ chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch-testcontroller
;;
abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..4f5872b 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,10 @@
# Description: Initializes the Open vSwitch VTEP emulator
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+. /usr/share/openvswitch/scripts/ovs-lib
# Include defaults if available
default=/etc/default/openvswitch-vtep
@@ -40,17 +44,22 @@ start () {
cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
fi
+ chmod -R 0775 /var/run/openvswitch
+ directory_check /etc/openvswitch
+ directory_check /var/run/openvswitch
+
ovsdb-server --pidfile --detach --log-file --remote \
punix:/var/run/openvswitch/db.sock \
--remote=db:hardware_vtep,Global,managers \
--private-key=/etc/openvswitch/ovsclient-privkey.pem \
--certificate=/etc/openvswitch/ovsclient-cert.pem \
--bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+ --user $OVS_USER:$OVS_GROUP \
/etc/openvswitch/conf.db /etc/openvswitch/vtep.db
modprobe openvswitch
- ovs-vswitchd --pidfile --detach --log-file \
+ ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
unix:/var/run/openvswitch/db.sock
}
--
1.9.1
More information about the dev
mailing list