[ovs-dev] [PATCH] rhel: don't drop capabilities when running as root

Timothy Redaelli tredaelli at redhat.com
Tue Mar 20 15:56:21 UTC 2018


On Tue, 13 Feb 2018 16:42:16 -0500
Aaron Conole <aconole at redhat.com> wrote:

> Currently, regardless of which user is being set as the running user,
> Open vSwitch daemons on RHEL systems drop capabilities.  This means
> the very powerful CAP_SYS_ADMIN is dropped, even when the user is
> 'root'.
> 
> For the majority of use cases this behavior works, as the user can
> enable or disable various configurations, regardless of which datapath
> functions are desired.  However, when using certain DPDK PMDs, the
> enablement and configuration calls require CAP_SYS_ADMIN.
> 
> Instead of retaining CAP_SYS_ADMIN in all cases, which would
> practically nullify the uid/gid and privilege drop, we don't pass the
> --ovs-user option to the daemons.  This shunts the capability and
> privilege dropping code.
> 
> Reported-by: Marcos Felipe Schwarz <marcos.f.sch at gmail.com>
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root
> user") Signed-off-by: Aaron Conole <aconole at redhat.com> ---
> NOTE: I did test this a little bit on my system, passing packets, etc.
>       But more eyes can't be bad.
> 
>  rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++---
>  rhel/usr_lib_systemd_system_ovsdb-server.service    | 6 ++++--
>  2 files changed, 8 insertions(+), 5 deletions(-)
> 

Acked-By: Timothy Redaelli <tredaelli at redhat.com>

-- 
Timothy Redaelli
Software Engineer
Red Hat Italia


More information about the dev mailing list