[ovs-dev] [PATCH] rhel: don't drop capabilities when running as root
Timothy Redaelli
tredaelli at redhat.com
Tue Mar 20 15:56:21 UTC 2018
On Tue, 13 Feb 2018 16:42:16 -0500
Aaron Conole <aconole at redhat.com> wrote:
> Currently, regardless of which user is being set as the running user,
> Open vSwitch daemons on RHEL systems drop capabilities. This means
> the very powerful CAP_SYS_ADMIN is dropped, even when the user is
> 'root'.
>
> For the majority of use cases this behavior works, as the user can
> enable or disable various configurations, regardless of which datapath
> functions are desired. However, when using certain DPDK PMDs, the
> enablement and configuration calls require CAP_SYS_ADMIN.
>
> Instead of retaining CAP_SYS_ADMIN in all cases, which would
> practically nullify the uid/gid and privilege drop, we don't pass the
> --ovs-user option to the daemons. This shunts the capability and
> privilege dropping code.
>
> Reported-by: Marcos Felipe Schwarz <marcos.f.sch at gmail.com>
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root
> user") Signed-off-by: Aaron Conole <aconole at redhat.com> ---
> NOTE: I did test this a little bit on my system, passing packets, etc.
> But more eyes can't be bad.
>
> rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++---
> rhel/usr_lib_systemd_system_ovsdb-server.service | 6 ++++--
> 2 files changed, 8 insertions(+), 5 deletions(-)
>
Acked-By: Timothy Redaelli <tredaelli at redhat.com>
--
Timothy Redaelli
Software Engineer
Red Hat Italia
More information about the dev
mailing list