[ovs-dev] [PATCH v4 1/5] redhat: allow arbitrary user:group

[Russell Bryant]

On Fri, Aug 4, 2017 at 1:00 PM, Aaron Conole <aconole at redhat.com> wrote:
> Under rpm based distributions, the only user:group that the rhel daemons run
> as is 'root:root'.  This is fine as a default, but as part of a security
> procedure, users may want to run as an alternate uid/gid.  This commit
> adds an OVS_USER_ID environment variable for systemd, which defaults to
> root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
> environment file.
>
> Acked-by: Markos Chandras <mchandras at suse.de>
> Signed-off-by: Aaron Conole <aconole at redhat.com>
> ---
>  rhel/automake.mk                                              | 1 +
>  rhel/etc_openvswitch_default.conf                             | 5 +++++
>  rhel/openvswitch-fedora.spec.in                               | 4 ++++
>  rhel/usr_lib_systemd_system_ovs-vswitchd.service              | 3 +++
>  rhel/usr_lib_systemd_system_ovsdb-server.service              | 3 +++
>  rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template | 3 +++
>  6 files changed, 19 insertions(+)
>  create mode 100644 rhel/etc_openvswitch_default.conf


> diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> index 3050a07..fdaee00 100644
> --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
> @@ -21,3 +21,6 @@
>  #   --ovsdb-server-wrapper=valgrind
>  #
>  OPTIONS=""
> +
> +# Uncomment and set the OVS User/Group value
> +#OVS_USER_ID="openvswitch:openvswitch"

Is this really needed?  How about just documenting the use of
--ovs-user with OPTIONS above?