[ovs-dev] [Debian-non-root v2 4/4] Debian: start daemons as ovs(non-root) user

Ben Pfaff blp at nicira.com
Sat Oct 24 21:36:01 UTC 2015

On Fri, Oct 09, 2015 at 05:13:24PM -0700, Andy Zhou wrote:
> Changes to Debian packaging scripts to create the ovs user and group.
> Fix the permissions of ovs created files and directories so that
> they are accessible by users belong to the ovs group.
> Start daemons as the ovs user.
> Signed-off-by: Andy Zhou <azhou at nicira.com>
> ----
> This patch does not include changes to the ipsec package. Ansis has
> other plans for updating it.

This looks carefully done.  Thank you!  I have a few suggestions, see

> +case "$1" in
> +    configure)
> +        LOGDIR=/var/log/openvswitch
> +        # Create the ovs user and group.
> +        adduser --system --group --no-create-home --quiet $OVS_USER || true

Based on looking at other packages, I'd suggest adding --disabled-login
to this command.

I am not sure why || true is there.  If adduser fails, then I suspect
that configuration should fail.  I only see || true (or similar) in a
minority of other packages that add users.

>From looking at other packages, it looks like there's an unwritten
convention that a daemon's home directory should be its rundir, e.g. add
"--home /var/run/openvswitch".

A number of other packages check whether the account already exists
before it creates it.  adduser is supposed to work OK in this case, as
long as nothing needs to change, but it might be considered best
practice to check.  e.g. here is what exim4-base does:

        if ! getent passwd Debian-exim > /dev/null ; then
          echo 'Adding system-user for exim (v4)' 1>&2
          adduser --system --group --quiet --home /var/spool/exim4 \
            --no-create-home --disabled-login --force-badname Debian-exim

openvswitch-vtep.init seems like a funny place to do the following:

> +    chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
> +    chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
> +    chmod -R 0770 /var/run/openvswitch

Also, the 770 permissions for /var/run/openvswitch mean that
unprivileged users can't see the OVS pidfiles that can reliably report
what OVS daemons are running.  Based on looking at my own system, this
is somewhat unusual (try running "find /var/run/ -maxdepth 1 -type d
-ls" and look at your results).

More information about the dev mailing list