[ovs-dev] [Debian-non-root 4/4] Debian: start daemons as ovs(non-root) user

Andy Zhou azhou at nicira.com
Tue Oct 6 01:38:44 UTC 2015


Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.

Signed-off-by: Andy Zhou <azhou at nicira.com>

----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
 NEWS                                       |  3 ++-
 debian/automake.mk                         |  1 +
 debian/openvswitch-common.postinst         | 42 ++++++++++++++++++++++++++++++
 debian/openvswitch-pki.postinst            |  2 ++
 debian/openvswitch-switch.init             |  1 +
 debian/openvswitch-switch.logrotate        |  2 +-
 debian/openvswitch-switch.postinst         |  3 +++
 debian/openvswitch-testcontroller.init     |  3 ++-
 debian/openvswitch-testcontroller.postinst |  2 ++
 debian/openvswitch-vtep.init               |  8 +++++-
 10 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100755 debian/openvswitch-common.postinst

diff --git a/NEWS b/NEWS
index cdf2815..8f0e5b6 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,8 @@ Post-v2.4.0
    - Dropped support for GRE64 tunnel.
    - Mark --syslog-target argument as deprecated.  It will be removed in
      the next OVS release.
-   - Added --user option to all daemons
+   - Added --user option to all daemons.
+   - Debain package starts daemons as the 'ovs' user.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@ EXTRA_DIST += \
 	debian/dkms.conf.in \
 	debian/dirs \
 	debian/openvswitch-common.dirs \
+	debian/openvswitch-common.postinst \
 	debian/openvswitch-common.docs \
 	debian/openvswitch-common.install \
 	debian/openvswitch-common.manpages \
diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..c90ab5a
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        LOGDIR=/var/log/openvswitch
+        # Create the ovs user and group.
+        adduser --system --group --no-create-home --quiet ovs || true
+
+        # Fix ownership and permissions.
+        chown -R ovs:ovs $LOGDIR
+        chmod -R 0770 $LOGDIR
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..030180d 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -31,6 +31,8 @@ case "$1" in
         if test ! -e /var/lib/openvswitch/pki; then
             ovs-pki init
         fi
+
+        chown ovs:ovs -R /var/lib/openvswitch/pki
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..febf414 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -64,6 +64,7 @@ start () {
     if test X"$FORCE_COREFILES" != X; then
 	set "$@" --force-corefiles="$FORCE_COREFILES"
     fi
+    set "$@" --no-run-as-root
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
     if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
index a7a71bd..be929b6 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@
 /var/log/openvswitch/*.log {
     daily
     compress
-    create 640 root adm
+    create 640 ovs ovs
     delaycompress
     missingok
     rotate 30
diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
index 2464572..9183bdc 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -33,6 +33,9 @@ case "$1" in
                 fi
             done
 	fi
+
+	# fix owner and permissions for /etc/openvswitch.
+	chown ovs:ovs -R /etc/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
index 67b7a99..352c95d 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -109,7 +109,7 @@ start_server() {
     fi
 
     if [ ! -d /var/run/openvswitch ]; then
-        install -d -m 755 -o root -g root /var/run/openvswitch
+        install -d -m 755 -o ovs -g ovs /var/run/openvswitch
     fi
 
     SSL_OPTS=
@@ -139,6 +139,7 @@ start_server() {
         if [ -z "$DAEMONUSER" ] ; then
             start-stop-daemon --start --pidfile $PIDFILE \
                         --exec $DAEMON -- --detach --pidfile=$PIDFILE \
+                        --user ovs:ovs \
                         $LISTEN $DAEMON_OPTS $SSL_OPTS
             errcode=$?
         else
diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
index 7242b4a..e8584e2 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -42,6 +42,8 @@ case "$1" in
             chmod go+r cert.pem req.pem
             umask $oldumask
         fi
+
+        chown ovs:ovs -R /etc/openvswitch-testcontroller
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..6fe02a1 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,8 @@
 # Description:       Initializes the Open vSwitch VTEP emulator
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=ovs
 
 # Include defaults if available
 default=/etc/default/openvswitch-vtep
@@ -40,17 +42,21 @@ start () {
         cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
     fi
 
+    chown -R "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
+    chown -R "$OVS_USER":"$OVS_GROUP" /var/run/openvswitch
+
     ovsdb-server --pidfile --detach --log-file --remote \
         punix:/var/run/openvswitch/db.sock \
         --remote=db:hardware_vtep,Global,managers \
         --private-key=/etc/openvswitch/ovsclient-privkey.pem \
         --certificate=/etc/openvswitch/ovsclient-cert.pem \
         --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+        --user "$OVS_USER":"$OVS_GROUP" \
         /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
 
     modprobe openvswitch
 
-    ovs-vswitchd --pidfile --detach --log-file \
+    ovs-vswitchd --pidfile --detach --log-file --user "$OVS_USER":"$OVS_GROUP" \
         unix:/var/run/openvswitch/db.sock
 }
 
-- 
1.9.1




More information about the dev mailing list