[ovs-dev] [PATCH V3] rhel: Fix support for root user using DPDK

Aaron Conole aconole at redhat.com
Wed Feb 7 18:32:27 UTC 2018


Aaron Conole <aconole at redhat.com> writes:

> Ben Pfaff <blp at ovn.org> writes:
>
>> Well, is it ever useful to be able to drop unneeded capabilities while
>> retaining the same uid/gid?  It certainly sounds like a reasonable thing
>> to want to do.  I'm reluctant to apply this without at least considering
>> that possibility.
>
> Let me think about it a bit more.  When I originally suggested shunting
> the setuid code-path, I didn't consider this case.  There could be an
> alternative.
>
> I suggested this in response to the original proposal (add CAP_SYS_ADMIN
> to the list of retained privs).  Certainly, I don't want to allow
> CAP_SYS_ADMIN to be retained (after all, with CAP_NET_ADMIN and
> CAP_SYS_ADMIN, there's really not much reason to change uid from root at
> all - for all functional purposes the process will be root).
>
> Maybe there's a way to see that the user will be root from the
> systemd scripts and not pass the "--user=XXX:YYY" option.

Is the following patch a workable solution?  If so, I can post it
formally.  Marcos, please confirm that this resolves your issue?

---

diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index c6d9aa1b8..889740f1a 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -13,17 +13,18 @@ Restart=on-failure
 Environment=HOME=/var/run/openvswitch
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch/useropts
 @begin_dpdk@
-ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages
+ExecStartPre=-/bin/sh -c '/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages'
 ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
 @end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           restart $OPTIONS
 TimeoutSec=300
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 234d39355..e05742d87 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -11,13 +11,15 @@ Restart=on-failure
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
+EnvironmentFile=-/run/openvswitch/useropts
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
-           --ovs-user=${OVS_USER_ID} \
+           ${OVSUSER} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755
---


More information about the dev mailing list