[ovs-dev] [PATCH v4 0/5] rhel/fedora: non-root OvS out of the box

Aaron Conole aconole at redhat.com
Fri Aug 4 17:00:52 UTC 2017 

This series attempts to introduce the ability to start and use
Open vSwitch 'out of the box' as a non-root user.  It does this by
modifying the service files to pass the recently introduced --ovs-user
argument around, and by making some minor tweaks to the passwd, group,
and filesystem information.

I prefixed the packaging work with 'redhat', but if rpm or packaging
is a preferred prefx for that work, I can respin.

The more controversial changes are:

* This modifies the /etc/sysconfig/ file on install.
* The dpdk support directly modifies /dev/hugepages with a call to chmod
* A new user 'openvswitch', and up to two new groups 'openvswitch', and
  'hugetlbfs' are created

After this series:

> [root at wsfd-netdev60 ~]# yum install openvswitch-2.7.90-1.fc25.x86_64.rpm 
> Loaded plugins: product-id, search-disabled-repos, subscription-manager
> This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
> Examining openvswitch-2.7.90-1.fc25.x86_64.rpm: openvswitch-2.7.90-1.fc25.x86_64
> Marking openvswitch-2.7.90-1.fc25.x86_64.rpm to be installed
> Resolving Dependencies
> --> Running transaction check
> ---> Package openvswitch.x86_64 0:2.7.90-1.fc25 will be installed
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> ================================================================================
>  Package      Arch    Version          Repository                          Size
> ================================================================================
> Installing:
>  openvswitch  x86_64  2.7.90-1.fc25    /openvswitch-2.7.90-1.fc25.x86_64   11 M
>
> Transaction Summary
> ================================================================================
> Install  1 Package
>
> Total size: 11 M
> Installed size: 11 M
> Is this ok [y/d/N]: y
> Downloading packages:
> Running transaction check
> Running transaction test
> Transaction test succeeded
> Running transaction
>   Installing : openvswitch-2.7.90-1.fc25.x86_64                             1/1 
>   Verifying  : openvswitch-2.7.90-1.fc25.x86_64                             1/1 
>
> Installed:
>   openvswitch.x86_64 0:2.7.90-1.fc25                                            
>
> Complete!
> [root at wsfd-netdev60 ~]# systemctl start openvswitch
> [root at wsfd-netdev60 ~]# ps aux | grep ovs
> openvsw+  12642  0.0  0.0  47864  2296 ?        S<s  10:57   0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
> openvsw+  12688  0.0  0.0  49588 10600 ?        S<Ls 10:57   0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach


v1->v2:
https://lists.linux-foundation.org/pipermail/ovs-dev/2017-June/333417.html

The previous method used 3 different locations of configuration from
environment variables:
1. The systemd file.
2. A new /etc/sysconfig/openvswitch-pre
3. The existing /etc/sysconfig/openvswitch

Now, configuration is from two areas:
1. A new /etc/openvswitch/default.conf
2. The existing /etc/sysconfig/openvswitch

As part of the install, we set the OVS_USER_ID to the new values.

v2->v3:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/334946.html

Refactor for the dpdk non-root user portion due to an issue discovered
where the generated service file didn't honor new configuration when
re-running ./configure.

Also, converted the "Reviewed-by" to "Acked-by".  This is because there
is no such thing as Reviewed-by in the OVS contributing guide.

Finally, included some documentation updates.

v3->v4:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/336558.html

Remove the makefile modifications


Aaron Conole (5):
  redhat: allow arbitrary user:group
  redhat: dynamically allocate and reference ovs user
  dpdkstrip: add a preprocessor tool for stripping dpdk blocks
  redhat: dynamic service file for vswitchd
  redhat: allow dpdk to also run as non-root user

 Documentation/intro/install/dpdk.rst               |  7 ++++
 Makefile.am                                        |  1 +
 NEWS                                               |  1 +
 build-aux/dpdkstrip.pl                             | 35 +++++++++++++++++++
 rhel/.gitignore                                    |  1 +
 rhel/README.RHEL.rst                               | 11 ++++++
 rhel/automake.mk                                   |  5 ++-
 rhel/etc_openvswitch_default.conf                  |  5 +++
 rhel/openvswitch-fedora.spec.in                    | 39 ++++++++++++++++++++++
 ...usr_lib_systemd_system_ovs-vswitchd.service.in} |  8 +++++
 rhel/usr_lib_systemd_system_ovsdb-server.service   |  4 +++
 ..._openvswitch_scripts_systemd_sysconfig.template |  3 ++
 12 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 build-aux/dpdkstrip.pl
 create mode 100644 rhel/etc_openvswitch_default.conf
 rename rhel/{usr_lib_systemd_system_ovs-vswitchd.service => usr_lib_systemd_system_ovs-vswitchd.service.in} (72%)

-- 
2.9.4

More information about the dev mailing list