[ovs-dev] [PATCH 6/6] redhat: allow dpdk to also run as non-root user

Aaron Conole aconole at redhat.com
Sat Jun 3 15:10:01 UTC 2017


After this commit, users may start a dpdk-enabled ovs setup as a
non-root user.  This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.

This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership.  This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete.  There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges.  However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.

This does not change OvS+DPDK's SELinux requirements.  It still must be
disabled.

Signed-off-by: Aaron Conole <aconole at redhat.com>
---
 rhel/.gitignore                                             |  1 +
 rhel/automake.mk                                            |  3 ++-
 rhel/openvswitch-fedora.spec.in                             | 13 +++++++++++++
 ...rvice => usr_lib_systemd_system_ovs-vswitchd.service.in} |  4 ++++
 4 files changed, 20 insertions(+), 1 deletion(-)
 rename rhel/{usr_lib_systemd_system_ovs-vswitchd.service => usr_lib_systemd_system_ovs-vswitchd.service.in} (87%)

diff --git a/rhel/.gitignore b/rhel/.gitignore
index 164bb66..e584a1e 100644
--- a/rhel/.gitignore
+++ b/rhel/.gitignore
@@ -4,3 +4,4 @@ openvswitch-kmod-rhel6.spec
 openvswitch-kmod-fedora.spec
 openvswitch.spec
 openvswitch-fedora.spec
+usr_lib_systemd_system_ovs-vswitchd.service
diff --git a/rhel/automake.mk b/rhel/automake.mk
index 1265fa7..2d58a58 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -28,6 +28,7 @@ EXTRA_DIST += \
 	rhel/usr_lib_systemd_system_openvswitch.service \
 	rhel/usr_lib_systemd_system_ovsdb-server.service \
 	rhel/usr_lib_systemd_system_ovs-vswitchd.service \
+	rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \
 	rhel/usr_lib_systemd_system_ovn-controller.service \
 	rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
 	rhel/usr_lib_systemd_system_ovn-northd.service \
@@ -58,7 +59,7 @@ RPMBUILD_TOP := $(abs_top_builddir)/rpm/rpmbuild
 RPMBUILD_OPT ?= --without check
 
 # Build user-space RPMs
-rpm-fedora: dist $(srcdir)/rhel/openvswitch-fedora.spec
+rpm-fedora: dist $(srcdir)/rhel/openvswitch-fedora.spec rhel/usr_lib_systemd_system_ovs-vswitchd.service
 	${MKDIR_P} ${RPMBUILD_TOP}/SOURCES
 	cp ${DIST_ARCHIVES} ${RPMBUILD_TOP}/SOURCES
 	rpmbuild ${RPMBUILD_OPT} \
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index f4da735..26dd3c8 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -94,6 +94,10 @@ Requires: openssl hostname iproute module-init-tools
 
 Requires(post): /usr/bin/getent
 Requires(post): /usr/sbin/useradd
+%if %{with dpdk}
+Requires(post): /usr/sbin/usermod
+Requires(post): /usr/sbin/groupadd
+%endif
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
@@ -362,6 +366,15 @@ if [ $1 -eq 1 ]; then
     echo "OVS_USER_ID=openvswitch:openvswitch" > \
          %{_sysconfdir}/sysconfig/openvswitch-pre
 
+%if %{with dpdk}
+    getent group hugetlbfs >/dev/null || \
+        groupadd hugetlbfs
+
+    usermod -a -G hugetlbfs openvswitch
+    echo "OVS_USER_ID=openvswitch:hugetlbfs" > \
+         %{_sysconfdir}/sysconfig/openvswitch-pre
+%endif
+
     # In the case of upgrade, this is not needed.
     install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch
 fi
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
similarity index 87%
rename from rhel/usr_lib_systemd_system_ovs-vswitchd.service
rename to rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index 0434d20..8c60e86 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -11,8 +11,12 @@ PartOf=openvswitch.service
 Type=forking
 Restart=on-failure
 Environment="OVS_USER_ID=root:root"
+Environment="HOME=/var/run/openvswitch"
 EnvironmentFile=-/etc/sysconfig/openvswitch-pre
 EnvironmentFile=-/etc/sysconfig/openvswitch
+ at begin_dpdk@
+ExecStartPre="/usr/sbin/chown :hugetlbfs /dev/hugepages"
+ at end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
           --ovs-user=${OVS_USER_ID} \
-- 
2.9.4



More information about the dev mailing list