[ovs-dev] [PATCH] rhel: don't drop capabilities when running as root

Aaron Conole aconole at redhat.com
Wed Mar 28 21:04:07 UTC 2018


Russell Bryant <russell at ovn.org> writes:

> On Tue, Mar 27, 2018 at 9:26 AM, Aaron Conole <aconole at redhat.com> wrote:
>> Aaron Conole <aconole at redhat.com> writes:
>>
>>> Currently, regardless of which user is being set as the running user,
>>> Open vSwitch daemons on RHEL systems drop capabilities.  This means the
>>> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.
>>>
>>> For the majority of use cases this behavior works, as the user can
>>> enable or disable various configurations, regardless of which datapath
>>> functions are desired.  However, when using certain DPDK PMDs, the
>>> enablement and configuration calls require CAP_SYS_ADMIN.
>>>
>>> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
>>> nullify the uid/gid and privilege drop, we don't pass the --ovs-user
>>> option to the daemons.  This shunts the capability and privilege
>>> dropping code.
>>>
>>> Reported-by: Marcos Felipe Schwarz <marcos.f.sch at gmail.com>
>>> Reported-at:
>>> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
>>> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
>>> Signed-off-by: Aaron Conole <aconole at redhat.com>
>>> ---
>>
>> Ping?
>
> Applied to master and branch-2.9.
>
> Please continue to CC me on rhel patches like this that have been
> reviewed by someone and you feel are ready to be applied.

Cool, will do.  Thanks Russell!

> Thanks,


More information about the dev mailing list