[ovs-dev] [Debian-non-root 4/4] Debian: start daemons as ovs(non-root) user

Ansis Atteka aatteka at nicira.com
Thu Oct 8 01:49:13 UTC 2015


On Mon, Oct 5, 2015 at 6:38 PM, Andy Zhou <azhou at nicira.com> wrote:

Thanks Andy for doing this! I will have another more careful look at
this patch tomorrow, because I think I somehow managed to get into a
state where after installing debian packages /etc/openvswitch still
belonged to root.


> Changes to Debian packaging scripts to create the ovs user and group.
> Fix the permissions of ovs created files and directories so that
> they are accessible by users belong to the ovs group.

s/users belong/users that belong

> Start daemons as the ovs user.
>
> Signed-off-by: Andy Zhou <azhou at nicira.com>

This patch, I believe, breaks upgrades:

Wed Oct  7 23:35:44 UTC 2015:stop
 * ovs-vswitchd is not running
 * ovsdb-server is not running
Wed Oct  7 23:35:44 UTC 2015:load-kmod
Wed Oct  7 23:35:44 UTC 2015:start --system-id=random --no-run-as-root
ovsdb-server: /var/run/openvswitch/ovsdb-server.pid.tmp: create failed
(Permission denied)

I guess this was happening because that directory still belonged to
the root user after the upgrade.


>
> ----
> This patch does not include changes to the ipsec package. Ansis has
> other plans for updating it.

Yeah, I will have to figure out how to do this from Python daemons. I
guess we have to synchronize our changes so that we don't break IPsec.

> ---
>  NEWS                                       |  3 ++-
>  debian/automake.mk                         |  1 +
>  debian/openvswitch-common.postinst         | 42 ++++++++++++++++++++++++++++++
>  debian/openvswitch-pki.postinst            |  2 ++
>  debian/openvswitch-switch.init             |  1 +
>  debian/openvswitch-switch.logrotate        |  2 +-
>  debian/openvswitch-switch.postinst         |  3 +++
>  debian/openvswitch-testcontroller.init     |  3 ++-
>  debian/openvswitch-testcontroller.postinst |  2 ++
>  debian/openvswitch-vtep.init               |  8 +++++-
>  10 files changed, 63 insertions(+), 4 deletions(-)
>  create mode 100755 debian/openvswitch-common.postinst
>
> diff --git a/NEWS b/NEWS
> index cdf2815..8f0e5b6 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -23,7 +23,8 @@ Post-v2.4.0
>     - Dropped support for GRE64 tunnel.
>     - Mark --syslog-target argument as deprecated.  It will be removed in
>       the next OVS release.
> -   - Added --user option to all daemons
> +   - Added --user option to all daemons.
> +   - Debain package starts daemons as the 'ovs' user.
s/Debain/Debian
>
>
>  v2.4.0 - 20 Aug 2015
> diff --git a/debian/automake.mk b/debian/automake.mk
> index c29a560..3092569 100644
> --- a/debian/automake.mk
> +++ b/debian/automake.mk
> @@ -8,6 +8,7 @@ EXTRA_DIST += \
>         debian/dkms.conf.in \
>         debian/dirs \
>         debian/openvswitch-common.dirs \
> +       debian/openvswitch-common.postinst \
>         debian/openvswitch-common.docs \
>         debian/openvswitch-common.install \
>         debian/openvswitch-common.manpages \
> diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
> new file mode 100755
> index 0000000..c90ab5a
> --- /dev/null
> +++ b/debian/openvswitch-common.postinst
> @@ -0,0 +1,42 @@
> +#!/bin/sh
> +# postinst script for openvswitch-switch
Copy-paste error: This is openvswitch-common and not
openvswitch-switch postinst script

> +#
> +# see: dh_installdeb(1)
> +
> +set -e
> +
> +# summary of how this script can be called:
> +#        * <postinst> `configure' <most-recently-configured-version>
> +#        * <old-postinst> `abort-upgrade' <new version>
> +#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
> +#          <new-version>
> +#        * <postinst> `abort-remove'
> +#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
> +#          <failed-install-package> <version> `removing'
> +#          <conflicting-package> <version>
> +# for details, see http://www.debian.org/doc/debian-policy/ or
> +# the debian-policy package
> +
> +case "$1" in
> +    configure)
> +        LOGDIR=/var/log/openvswitch
> +        # Create the ovs user and group.
> +        adduser --system --group --no-create-home --quiet ovs || true
There are useradd and adduser utilities. I tried *bare minimum* Debian
8 installation and adduser was not installed by default. Should you
add adduser to dependencies in debian/control file?


> +
> +        # Fix ownership and permissions.
> +        chown -R ovs:ovs $LOGDIR
> +        chmod -R 0770 $LOGDIR
You have probably thought more about this, but now "adm" group is
dropped for OVS logs. Do you see any issue with this?


> +        ;;
> +
> +    abort-upgrade|abort-remove|abort-deconfigure)
> +        ;;
> +
> +    *)
> +        echo "postinst called with unknown argument \`$1'" >&2
> +        exit 1
> +        ;;
> +esac
> +
> +#DEBHELPER#
> +
> +exit 0
> diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
> index f4705e9..030180d 100755
> --- a/debian/openvswitch-pki.postinst
> +++ b/debian/openvswitch-pki.postinst
> @@ -31,6 +31,8 @@ case "$1" in
>          if test ! -e /var/lib/openvswitch/pki; then
>              ovs-pki init
>          fi
> +
> +        chown ovs:ovs -R /var/lib/openvswitch/pki
Shouldn't changing user recursively for /var/lib/openvswitch be a
better approach?
>          ;;
>
>      abort-upgrade|abort-remove|abort-deconfigure)
> diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
> index 8e156da..febf414 100755
> --- a/debian/openvswitch-switch.init
> +++ b/debian/openvswitch-switch.init
> @@ -64,6 +64,7 @@ start () {
>      if test X"$FORCE_COREFILES" != X; then
>         set "$@" --force-corefiles="$FORCE_COREFILES"
>      fi
> +    set "$@" --no-run-as-root
>      set "$@" $OVS_CTL_OPTS
>      "$@" || exit $?
>      if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
> diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
> index a7a71bd..be929b6 100644
> --- a/debian/openvswitch-switch.logrotate
> +++ b/debian/openvswitch-switch.logrotate
> @@ -1,7 +1,7 @@
>  /var/log/openvswitch/*.log {
>      daily
>      compress
> -    create 640 root adm
> +    create 640 ovs ovs
>      delaycompress
>      missingok
>      rotate 30
> diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
> index 2464572..9183bdc 100755
> --- a/debian/openvswitch-switch.postinst
> +++ b/debian/openvswitch-switch.postinst
> @@ -33,6 +33,9 @@ case "$1" in
>                  fi
>              done
>         fi
> +
> +       # fix owner and permissions for /etc/openvswitch.
> +       chown ovs:ovs -R /etc/openvswitch

can you assume that this directory unconditionally exists (I believe
all debian scripts are run with set -e and you don't want them to
terminate prematurely)?

>          ;;
>
>      abort-upgrade|abort-remove|abort-deconfigure)
> diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
> index 67b7a99..352c95d 100755
> --- a/debian/openvswitch-testcontroller.init
> +++ b/debian/openvswitch-testcontroller.init
> @@ -109,7 +109,7 @@ start_server() {
>      fi
>
>      if [ ! -d /var/run/openvswitch ]; then
> -        install -d -m 755 -o root -g root /var/run/openvswitch
> +        install -d -m 755 -o ovs -g ovs /var/run/openvswitch
if directory exists this will not change ownership, right?
>      fi
>
>      SSL_OPTS=
> @@ -139,6 +139,7 @@ start_server() {
>          if [ -z "$DAEMONUSER" ] ; then
>              start-stop-daemon --start --pidfile $PIDFILE \
>                          --exec $DAEMON -- --detach --pidfile=$PIDFILE \
> +                        --user ovs:ovs \
it seems inconsistent that in some places you use --user ovs:ovs but
in other --user "$OVS_USER":"$OVS_GROUP"


>                          $LISTEN $DAEMON_OPTS $SSL_OPTS
>              errcode=$?
>          else
> diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
> index 7242b4a..e8584e2 100755
> --- a/debian/openvswitch-testcontroller.postinst
> +++ b/debian/openvswitch-testcontroller.postinst
> @@ -42,6 +42,8 @@ case "$1" in
>              chmod go+r cert.pem req.pem
>              umask $oldumask
>          fi
> +
> +        chown ovs:ovs -R /etc/openvswitch-testcontroller
>          ;;
>
>      abort-upgrade|abort-remove|abort-deconfigure)
> diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
> index ebf4e26..6fe02a1 100644
> --- a/debian/openvswitch-vtep.init
> +++ b/debian/openvswitch-vtep.init
> @@ -10,6 +10,8 @@
>  # Description:       Initializes the Open vSwitch VTEP emulator
>  ### END INIT INFO
>
> +OVS_USER=ovs
> +OVS_GROUP=ovs
>
>  # Include defaults if available
>  default=/etc/default/openvswitch-vtep
> @@ -40,17 +42,21 @@ start () {
>          cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
>      fi
>
> +    chown -R "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
> +    chown -R "$OVS_USER":"$OVS_GROUP" /var/run/openvswitch
> +
>      ovsdb-server --pidfile --detach --log-file --remote \
>          punix:/var/run/openvswitch/db.sock \
>          --remote=db:hardware_vtep,Global,managers \
>          --private-key=/etc/openvswitch/ovsclient-privkey.pem \
>          --certificate=/etc/openvswitch/ovsclient-cert.pem \
>          --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
> +        --user "$OVS_USER":"$OVS_GROUP" \
>          /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
>
>      modprobe openvswitch
>
> -    ovs-vswitchd --pidfile --detach --log-file \
> +    ovs-vswitchd --pidfile --detach --log-file --user "$OVS_USER":"$OVS_GROUP" \
>          unix:/var/run/openvswitch/db.sock
>  }
>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



More information about the dev mailing list