[ovs-dev] [PATCH] utilities: Launch ovsdb-tool without using PAM

Markos Chandras mchandras at suse.de
Mon Aug 6 10:08:48 UTC 2018


Hello Timothy,

On 08/06/2018 01:03 PM, Timothy Redaelli wrote:
> When ovsdb-server is starting, it performs some DB steps such as
> creating and upgrading the OvS DB. When we are running as
> 'non-root' user, the 'runuser' tool is used to manage the privileges.
> However, when this happens during systemd boot, we observe the following
> errors in journald:
> 
> Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to
> scope's control group: No such process
> Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch.
> Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state.
> 
> According to the analysis performed on openSUSE bugzilla[1], it seems
> that ovsdb-server.service creates (via the call to runuser) a user
> session and therefore call pam_systemd which in its turn tries to start
> a systemd user instance: "user at 474.service". However "user at 474.service"
> is supposed to be started after systemd-user-sessions.service which is
> supposed to be started after network.target. Additionally,
> ovsdb-server.service uses Before=network.target hence the deadlock.
> 
> This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that
> doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without
> having the deadlock. Since some old versions for "setpriv" (such as the
> one used by RHEL7) doesn't support the username / groupname, but only the
> user ids / group ids, "id" is used to get the user ID and the group IDs.
> To replicate the same behaviour of "runuser", the effective group ID of
> the user is used as GID (usually "openvswitch") and the remaining group
> IDs are used as supplementary groups (usually "hugetlbfs", if OVS is
> built with DPDK support).
> 
> [1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630
> Reported-by: Markos Chandras <mchandras at suse.de>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349716.html
> Co-authored-by: Aaron Conole <aconole at redhat.com>
> Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
> ---

Thank you for the fix

Reviewed-by: Markos Chandras <mchandras at suse.de>

-- 
markos

SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg


More information about the dev mailing list