[ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Darrell Ball dlu998 at gmail.com
Tue Apr 16 06:21:09 UTC 2019 

Thanks for the fix

1/ Main changes to openvswitch-fedora.spec.in look ok to me, but we should
probably also see if there is any specific use
case concerns from others.

2/ Couple comments inline

3/ Regarding playbook-fedora-builder.yml in general, there is issue with
playbook-fedora-builder.yml, assuming I use "as is".


dball at ubuntu:~/ovs/poc/builders$ sudo vagrant up
DEPRECATION: The 'sudo' option for the Ansible provisioner is deprecated.
Please use the 'become' option instead.
The 'sudo' option will be removed in a future release of Vagrant.

Bringing machine 'fedorabuilder' up with 'virtualbox' provider...
==> fedorabuilder: Box 'fedora/27-cloud-base' could not be found.
Attempting to find and install...
    fedorabuilder: Box Provider: virtualbox
    fedorabuilder: Box Version: >= 0
==> fedorabuilder: Loading metadata for box 'fedora/27-cloud-base'
    fedorabuilder: URL: https://vagrantcloud.com/fedora/27-cloud-base
==> fedorabuilder: Adding box 'fedora/27-cloud-base' (v20171105) for
provider: virtualbox
    fedorabuilder: Downloading:
https://vagrantcloud.com/fedora/boxes/27-cloud-base/versions/20171105/providers/virtualbox.box
    fedorabuilder: Download redirected to host: download.fedoraproject.org
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

The requested URL returned error: 404 Not Found

On Mon, Apr 15, 2019 at 6:26 PM Ansis Atteka <aatteka at ovn.org> wrote:

> Otherwise, Open vSwitch will fail to start with the following
> error "libcap-ng is not configured at compile time" when it
> attempts to downgrade to Open vSwitch user.
>
> Also, if packages were built in a way where processes are
> supposed to be running only as root, then there is no point
> in creating "openvswitch" user in the first place.
>
> Signed-off-by: Ansis Atteka <aatteka at ovn.org>
> ---
>  poc/playbook-fedora-builder.yml | 6 +++---
>  rhel/openvswitch-fedora.spec.in | 8 ++++++++
>  2 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/poc/playbook-fedora-builder.yml
> b/poc/playbook-fedora-builder.yml
> index 70f0b6ff2..b955714fc 100644
> --- a/poc/playbook-fedora-builder.yml
> +++ b/poc/playbook-fedora-builder.yml
> @@ -99,17 +99,17 @@
>        - openvswitch-dkms.spec
>
>    - name: Build Open vSwitch user space rpms
> -    command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +    command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-fedora.spec
>      args:
>          chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
>    - name: Build Open vSwitch kmod rpm
> -    command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +    command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-fedora.spec
>

Is the correct spec file openvswitch-kmod-fedora.spec ?
Hence, do we need a change here ?


>      args:
>          chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
>    - name: Build Open vSwitch dkms rpm
> -    command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
> +    command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-dkms.spec
>

Do you need this line changed ?



>      args:
>          chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
> openvswitch-fedora.spec.in
> index c1cd3f4c6..ce728b4f0 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
>  %endif
>
>  %pre
> +%if %{with libcapng}
>  getent group openvswitch >/dev/null || groupadd -r openvswitch
>  getent passwd openvswitch >/dev/null || \
>      useradd -r -g openvswitch -d / -s /sbin/nologin \
> @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
>      getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
>      usermod -a -G hugetlbfs openvswitch
>  %endif
> +%endif
>  exit 0
>
>  %post
> +%if %{with libcapng}
>  if [ $1 -eq 1 ]; then
>      sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
>      sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:'
> %{_sysconfdir}/logrotate.d/openvswitch
> @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
>      chown -R openvswitch:openvswitch /etc/openvswitch
>      chown -R openvswitch:openvswitch /var/log/openvswitch
>  fi
> +%endif
>
>  %if 0%{?systemd_post:1}
>      %systemd_post %{name}.service
> @@ -445,7 +449,11 @@ fi
>  %endif
>
>  %files
> +%if %{with libcapng}
>  %defattr(-,openvswitch,openvswitch)
> +%else
> +%defattr(-,root,root)
> +%endif
>  %dir %{_sysconfdir}/openvswitch
>  %{_sysconfdir}/openvswitch/default.conf
>  %config %ghost %{_sysconfdir}/openvswitch/conf.db
> --
> 2.14.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list