[ovs-dev] [rhel --user v2 7/7] rhel: run daemons as the ovs user

Flavio Leitner fbl at sysclose.org
Fri Nov 27 13:35:01 UTC 2015 

On Fri, Nov 20, 2015 at 03:33:20AM -0800, Andy Zhou wrote:
> Make RHEL systemd distributions start OVS and OVN daemons under user
> ovs. The 'ovs' user and group will be created at the openvswitch RPM
> installtion time.
> 
> Signed-off-by: Andy Zhou <azhou at ovn.org>
> Acked-by: Ben Pfaff <blp at ovn.org>
> ---
>  rhel/openvswitch-fedora.spec.in                        | 18 ++++++++----------
>  ...sr_lib_systemd_system_openvswitch-nonetwork.service |  4 ++--
>  .../usr_lib_systemd_system_ovn-controller-vtep.service |  2 +-
>  rhel/usr_lib_systemd_system_ovn-controller.service     |  2 +-
>  rhel/usr_lib_systemd_system_ovn-northd.service         |  2 +-
>  5 files changed, 13 insertions(+), 15 deletions(-)
> 
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index be22e87..b91f1b3 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -13,10 +13,6 @@
>  
>  #%define kernel 2.6.40.4-5.fc15.x86_64
>  
> -# If libcap-ng isn't available and there is no need for running OVS
> -# as regular user, specify the '--without libcapng'
> -%bcond_without libcapng
> -

People building small build roots with openvswitch could use that option,
but I don't know for sure if anyone is actually doing that.  OK, let's
remove that and if anyone complains we can easily bring it back.


>  # Enable PIE, bz#955181
>  %global _hardened_build 1
>  
> @@ -46,9 +42,7 @@ BuildRequires: desktop-file-utils
>  BuildRequires: groff graphviz
>  # make check dependencies
>  BuildRequires: procps-ng
> -%if %{with libcapng}
>  BuildRequires: libcap-ng libcap-ng-devel
> -%endif
>  
>  Requires: openssl iproute module-init-tools
>  #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3
> @@ -112,11 +106,7 @@ overlays and security groups.
>  
>  %build
>  %configure \
> -%if %{with libcapng}
>          --enable-libcapng \
> -%else
> -        --disable-libcapng \
> -%endif
>          --enable-ssl \
>          --with-pkidir=%{_sharedstatedir}/openvswitch/pki
>  
> @@ -162,6 +152,11 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
>  touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
>  touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
>  
> +%pre
> +# Add the "ovs" user and group
> +/usr/sbin/useradd -c "Openvswitch Daemons" -s /sbin/nologin -r \
> +                  -d %{_rundir}/openvswitch ovs 2> /dev/null || :
> +

I suggest to rename the user and group to 'openvswitch'.

Redirecting all errors to /dev/null can hide tricky bugs during
installations.  I suggest to do something like:

if ! getent passwd openvswitch >/dev/null; then
    useradd -c "Openvswitch Daemons" -s /sbin/nologin -r \
        -d %{_rundir}/openvswitch openvswitch
fi
exit 0



>  %check
>  %if %{with check}
>      if make check TESTSUITEFLAGS='%{_smp_mflags}' ||
> @@ -204,6 +199,8 @@ rm -rf $RPM_BUILD_ROOT
>  %endif
>  
>  %post
> +chown -R ovs:ovs /etc/openvswitch  #OVS DB files
> +chown -R ovs:ovs %{_rundir}/openvswitch

This breaks rpm -V. You need to change file permissions in the
%file sections otherwise the filesystem and rpmdb won't match.

Also, %{_rundir}/openvswitch is marked as %ghost which means that
directory isn't packaged.  It is created by systemd when the service
is initializing (RuntimeDirectory).  Here we have a problem because
systemd will set rundir ownership to User= and Group= specified in
the service (which we don't specify, so root:root is assumed) and we
can't package the directory because /run is a tmpfs.

Since you fix the %{_rundir}/openvswitch in the script ovs-lib, it seems
enough to just patch the line below:

- %ghost %attr(755,root,root) %{_rundir}/openvswitch
+ %ghost %attr(755,openvswitch,openvswitch) %{_rundir}/openvswitch

See:
http://www.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html


>  %if 0%{?systemd_post:1}
>      %systemd_post %{name}.service
>  %else
> @@ -214,6 +211,7 @@ rm -rf $RPM_BUILD_ROOT
>  %endif
>  
>  %post ovn
> +chown -R ovs:ovs /var/lib/openvswitch  #OVN DB files

breaks rpmdb too.


>  %if 0%{?systemd_post:1}
>      %systemd_post ovn-controller.service
>      %systemd_post ovn-controller-vtep.service
> diff --git a/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service b/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
> index e4c2a66..f32ba24 100644
> --- a/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
> +++ b/rhel/usr_lib_systemd_system_openvswitch-nonetwork.service
> @@ -9,7 +9,7 @@ Type=oneshot
>  RemainAfterExit=yes
>  EnvironmentFile=-/etc/sysconfig/openvswitch
>  ExecStart=/usr/share/openvswitch/scripts/ovs-ctl start \
> -          --system-id=random $OPTIONS
> +          --system-id=random --user=ovs:ovs $OPTIONS
>  ExecStop=/usr/share/openvswitch/scripts/ovs-ctl stop
>  RuntimeDirectory=openvswitch
> -RuntimeDirectoryMode=0755
> +RuntimeDirectoryMode=0775

You need to sync this with the %attr above and the
ovs-lib (proposed 755)

Thanks,
fbl

> diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
> index 867a906..994bd77 100644
> --- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
> +++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
> @@ -27,4 +27,4 @@ Environment=VTEP_DB=unix:%t/openvswitch/db.sock
>  ExecStart=/usr/bin/ovn-controller-vtep -vconsole:emer -vsyslog:err -vfile:info \
>            --log-file=/var/log/openvswitch/ovn-controller-vtep.log \
>            --no-chdir --pidfile=${OVS_RUNDIR}/ovn-controller-vtep.pid \
> -          --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB}
> +          --user ovs:ovs --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB}
> diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service
> index 6b53ced..b01a804 100644
> --- a/rhel/usr_lib_systemd_system_ovn-controller.service
> +++ b/rhel/usr_lib_systemd_system_ovn-controller.service
> @@ -18,5 +18,5 @@ Type=simple
>  Environment=OVS_RUNDIR=%t/openvswitch
>  Environment=OVS_DB=unix:%t/openvswitch/db.sock
>  ExecStart=/usr/bin/ovn-controller -vconsole:emer -vsyslog:err -vfile:info \
> -          --log-file=/var/log/openvswitch/ovn-controller.log \
> +          --log-file=/var/log/openvswitch/ovn-controller.log --user ovs:ovs \
>            --no-chdir --pidfile=${OVS_RUNDIR}/ovn-controller.pid ${OVS_DB}
> diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service
> index 5b3b03a..1abb8b3 100644
> --- a/rhel/usr_lib_systemd_system_ovn-northd.service
> +++ b/rhel/usr_lib_systemd_system_ovn-northd.service
> @@ -8,5 +8,5 @@ After=openvswitch.service
>  Type=oneshot
>  RemainAfterExit=yes
>  Environment=OVS_RUNDIR=%t/openvswitch OVS_DBDIR=/var/lib/openvswitch
> -ExecStart=/usr/share/openvswitch/scripts/ovn-ctl start_northd
> +ExecStart=/usr/share/openvswitch/scripts/ovn-ctl --user=ovs:ovs start_northd
>  ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_northd
> -- 
> 1.8.3.1
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list