[ovs-dev] [PATCH] utilities: Run ovsdb-server pre-startup DB steps as root

Markos Chandras mchandras at suse.de
Mon Jul 16 10:31:48 UTC 2018

When ovsdb-server is starting, it performs some DB steps such as
creating and upgrading the OvS DB. When we are running as
'non-root' user, the 'runuser' tool is used to manage the privileges.
However, when this happens during systemd boot, we observe the following
errors in journald:

Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to scope's control group: No such process
Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user openvswitch.
Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed state.

According to the analysis performed on openSUSE bugzilla[1], it seems
that ovsdb-server.service creates (via the call to runuser) a user
session and therefore call pam_systemd which in its turn tries to start
a systemd user instance: "user at 474.service". However "user at 474.service"
is supposed to be started after systemd-user-sessions.service which is
supposed to be started after network.target. Additionally,
ovsdb-server.service uses Before=network.target hence the deadlock.

We can workaround this by switching to 'root' user when we are
performing this pre-startup steps and fixup the DB permissions before
we start the actual ovsdb-server daemon.

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630
Cc: Aaron Conole <aconole at redhat.com>
Signed-off-by: Markos Chandras <mchandras at suse.de>
Probably not the cleanest option so I am open to suggestions :)
 utilities/ovs-ctl.in | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 43c8f32b7..588f546fe 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -109,9 +109,15 @@ do_start_ovsdb () {
     if daemon_is_running ovsdb-server; then
         log_success_msg "ovsdb-server is already running"
-        # Create initial database or upgrade database schema.
-        upgrade_db $DB_FILE $DB_SCHEMA || return 1
+        # Create initial database or upgrade database schema. The runuser calls
+        # in ovsdb_tool function will fail on system startup so we need to run
+        # as root and fix permissions later on.
+        [ "$OVS_USER" != "" ] && OVS_USER_OVSDB=${OVS_USER}
+        OVS_USER="" upgrade_db $DB_FILE $DB_SCHEMA || return 1
+        if [ ! -z "${OVS_USER_OVSDB+x}" ]; then
+            OVS_USER=${OVS_USER_OVSDB}
+            chown -R "$OVS_USER" $etcdir $dbdir
+        fi
         # Start ovsdb-server.
         set ovsdb-server "$DB_FILE"
         for db in $EXTRA_DBS; do

More information about the dev mailing list