[ovs-dev] [PATCH] utilities: Launch ovsdb-tool without using PAM
Ben Pfaff
blp at ovn.org
Mon Aug 6 22:21:29 UTC 2018
On Mon, Aug 06, 2018 at 08:33:46AM -0400, Aaron Conole wrote:
> Timothy Redaelli <tredaelli at redhat.com> writes:
>
> > When ovsdb-server is starting, it performs some DB steps such as
> > creating and upgrading the OvS DB. When we are running as
> > 'non-root' user, the 'runuser' tool is used to manage the privileges.
> > However, when this happens during systemd boot, we observe the following
> > errors in journald:
> >
> > Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to
> > scope's control group: No such process
> > Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch.
> > Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state.
> >
> > According to the analysis performed on openSUSE bugzilla[1], it seems
> > that ovsdb-server.service creates (via the call to runuser) a user
> > session and therefore call pam_systemd which in its turn tries to start
> > a systemd user instance: "user at 474.service". However "user at 474.service"
> > is supposed to be started after systemd-user-sessions.service which is
> > supposed to be started after network.target. Additionally,
> > ovsdb-server.service uses Before=network.target hence the deadlock.
> >
> > This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that
> > doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without
> > having the deadlock. Since some old versions for "setpriv" (such as the
> > one used by RHEL7) doesn't support the username / groupname, but only the
> > user ids / group ids, "id" is used to get the user ID and the group IDs.
> > To replicate the same behaviour of "runuser", the effective group ID of
> > the user is used as GID (usually "openvswitch") and the remaining group
> > IDs are used as supplementary groups (usually "hugetlbfs", if OVS is
> > built with DPDK support).
> >
> > [1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630
> > Reported-by: Markos Chandras <mchandras at suse.de>
> > Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349716.html
> > Co-authored-by: Aaron Conole <aconole at redhat.com>
> > Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
> > ---
>
> Thanks all.
>
> Signed-off-by: Aaron Conole <aconole at redhat.com>
Thanks, applied to master, backported as far 2.7.
More information about the dev
mailing list