[ovs-git] [openvswitch/ovs] 92d535: redhat: allow arbitrary user:group

GitHub noreply at github.com
Tue Aug 8 17:42:08 UTC 2017


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 92d53574d5039e1173347754090cf64ccf2af57c
      https://github.com/openvswitch/ovs/commit/92d53574d5039e1173347754090cf64ccf2af57c
  Author: aaron conole <aconole at redhat.com>
  Date:   2017-08-08 (Tue, 08 Aug 2017)

  Changed paths:
    M rhel/automake.mk
    A rhel/etc_openvswitch_default.conf
    M rhel/openvswitch-fedora.spec.in
    M rhel/usr_lib_systemd_system_ovs-vswitchd.service
    M rhel/usr_lib_systemd_system_ovsdb-server.service
    M rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template

  Log Message:
  -----------
  redhat: allow arbitrary user:group

Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'.  This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid.  This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.

Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>


  Commit: ac416a3ab2d200284b4eeba0544056694850e65d
      https://github.com/openvswitch/ovs/commit/ac416a3ab2d200284b4eeba0544056694850e65d
  Author: aaron conole <aconole at redhat.com>
  Date:   2017-08-08 (Tue, 08 Aug 2017)

  Changed paths:
    M rhel/openvswitch-fedora.spec.in
    M rhel/usr_lib_systemd_system_ovsdb-server.service

  Log Message:
  -----------
  redhat: dynamically allocate and reference ovs user

After this commit, the fedora RPM will create the openvswitch user, from the
non-static pool, for use as an Open vSwitch daemon user.  This only happens
on install - not upgrade.  This will be the default user:group
combination for the openvswitch daemons.

To do this in a way that doesn't impact existing installations, the
/etc/openvswitch directory will be created during the installation,
rather than being provided as part of the rpm.

Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>


  Commit: 3828b456124b85093b414984daacbc8fae39dfca
      https://github.com/openvswitch/ovs/commit/3828b456124b85093b414984daacbc8fae39dfca
  Author: aaron conole <aconole at redhat.com>
  Date:   2017-08-08 (Tue, 08 Aug 2017)

  Changed paths:
    M Makefile.am
    A build-aux/dpdkstrip.pl

  Log Message:
  -----------
  dpdkstrip: add a preprocessor tool for stripping dpdk blocks

Normally, in C code, pre-processing macros can be used to enable/disable
specific functionality based on switches passed to configure.  This works
for DPDK using the --with-dpdk flag, which sets the DPDK_NETDEV define to
the appropriate value.

However, not all files are processed with the C pre-processor.  For those
files which are not, this commit adds a new pre-processor tool for .in
files to either include or exclude those stanzas as appropriate.

Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>


  Commit: 491a9d3b6b2298f741d01d4398f80f388f1588a7
      https://github.com/openvswitch/ovs/commit/491a9d3b6b2298f741d01d4398f80f388f1588a7
  Author: aaron conole <aconole at redhat.com>
  Date:   2017-08-08 (Tue, 08 Aug 2017)

  Changed paths:
    M rhel/.gitignore
    M rhel/automake.mk
    M rhel/openvswitch-fedora.spec.in
    R rhel/usr_lib_systemd_system_ovs-vswitchd.service
    A rhel/usr_lib_systemd_system_ovs-vswitchd.service.in

  Log Message:
  -----------
  redhat: dynamic service file for vswitchd

This commit changes the service file from static configuration to an
autogenerated file, produced during the build.  This will be relevant in a
future commit.

Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>


  Commit: e3e738a3d0580a9a7178adfc9300a193b8df4ae5
      https://github.com/openvswitch/ovs/commit/e3e738a3d0580a9a7178adfc9300a193b8df4ae5
  Author: aaron conole <aconole at redhat.com>
  Date:   2017-08-08 (Tue, 08 Aug 2017)

  Changed paths:
    M Documentation/intro/install/dpdk.rst
    M NEWS
    M rhel/README.RHEL.rst
    M rhel/openvswitch-fedora.spec.in
    M rhel/usr_lib_systemd_system_ovs-vswitchd.service.in

  Log Message:
  -----------
  redhat: allow dpdk to also run as non-root user

After this commit, users may start a dpdk-enabled ovs setup as a
non-root user.  This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.

This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership.  This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete.  There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges.  However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.

This does not change OvS+DPDK's SELinux requirements.  It still must be
disabled.

Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/6b1babacc3ca...e3e738a3d058


More information about the git mailing list