[ovs-dev] [Debian-non-root v2 4/4] Debian: start daemons as ovs(non-root) user
azhou at nicira.com
Mon Oct 26 04:36:03 UTC 2015
On Sat, Oct 24, 2015 at 2:36 PM, Ben Pfaff <blp at nicira.com> wrote:
> On Fri, Oct 09, 2015 at 05:13:24PM -0700, Andy Zhou wrote:
>> Changes to Debian packaging scripts to create the ovs user and group.
>> Fix the permissions of ovs created files and directories so that
>> they are accessible by users belong to the ovs group.
>> Start daemons as the ovs user.
>> Signed-off-by: Andy Zhou <azhou at nicira.com>
>> This patch does not include changes to the ipsec package. Ansis has
>> other plans for updating it.
> This looks carefully done. Thank you! I have a few suggestions, see
>> +case "$1" in
>> + configure)
>> + LOGDIR=/var/log/openvswitch
>> + # Create the ovs user and group.
>> + adduser --system --group --no-create-home --quiet $OVS_USER || true
> Based on looking at other packages, I'd suggest adding --disabled-login
> to this command.
> I am not sure why || true is there. If adduser fails, then I suspect
> that configuration should fail. I only see || true (or similar) in a
> minority of other packages that add users.
> From looking at other packages, it looks like there's an unwritten
> convention that a daemon's home directory should be its rundir, e.g. add
> "--home /var/run/openvswitch".
> A number of other packages check whether the account already exists
> before it creates it. adduser is supposed to work OK in this case, as
> long as nothing needs to change, but it might be considered best
> practice to check. e.g. here is what exim4-base does:
> if ! getent passwd Debian-exim > /dev/null ; then
> echo 'Adding system-user for exim (v4)' 1>&2
> adduser --system --group --quiet --home /var/spool/exim4 \
> --no-create-home --disabled-login --force-badname Debian-exim
Those are good suggestions. Will adopt all in the next rev.
> openvswitch-vtep.init seems like a funny place to do the following:
>> + chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
>> + chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
>> + chmod -R 0770 /var/run/openvswitch
I agree it is odd. But seems necessary given the directory and files
created above as root. Do you have
some alternatives in mind?
> Also, the 770 permissions for /var/run/openvswitch mean that
> unprivileged users can't see the OVS pidfiles that can reliably report
> what OVS daemons are running. Based on looking at my own system, this
> is somewhat unusual (try running "find /var/run/ -maxdepth 1 -type d
> -ls" and look at your results).
I see. How about 775?
More information about the dev