[ovs-git] [openvswitch/ovs] 92d535: redhat: allow arbitrary user:group
GitHub
noreply at github.com
Tue Aug 8 17:42:08 UTC 2017
Branch: refs/heads/master
Home: https://github.com/openvswitch/ovs
Commit: 92d53574d5039e1173347754090cf64ccf2af57c
https://github.com/openvswitch/ovs/commit/92d53574d5039e1173347754090cf64ccf2af57c
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/automake.mk
A rhel/etc_openvswitch_default.conf
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovs-vswitchd.service
M rhel/usr_lib_systemd_system_ovsdb-server.service
M rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
Log Message:
-----------
redhat: allow arbitrary user:group
Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'. This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid. This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.
Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: ac416a3ab2d200284b4eeba0544056694850e65d
https://github.com/openvswitch/ovs/commit/ac416a3ab2d200284b4eeba0544056694850e65d
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovsdb-server.service
Log Message:
-----------
redhat: dynamically allocate and reference ovs user
After this commit, the fedora RPM will create the openvswitch user, from the
non-static pool, for use as an Open vSwitch daemon user. This only happens
on install - not upgrade. This will be the default user:group
combination for the openvswitch daemons.
To do this in a way that doesn't impact existing installations, the
/etc/openvswitch directory will be created during the installation,
rather than being provided as part of the rpm.
Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: 3828b456124b85093b414984daacbc8fae39dfca
https://github.com/openvswitch/ovs/commit/3828b456124b85093b414984daacbc8fae39dfca
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M Makefile.am
A build-aux/dpdkstrip.pl
Log Message:
-----------
dpdkstrip: add a preprocessor tool for stripping dpdk blocks
Normally, in C code, pre-processing macros can be used to enable/disable
specific functionality based on switches passed to configure. This works
for DPDK using the --with-dpdk flag, which sets the DPDK_NETDEV define to
the appropriate value.
However, not all files are processed with the C pre-processor. For those
files which are not, this commit adds a new pre-processor tool for .in
files to either include or exclude those stanzas as appropriate.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: 491a9d3b6b2298f741d01d4398f80f388f1588a7
https://github.com/openvswitch/ovs/commit/491a9d3b6b2298f741d01d4398f80f388f1588a7
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/.gitignore
M rhel/automake.mk
M rhel/openvswitch-fedora.spec.in
R rhel/usr_lib_systemd_system_ovs-vswitchd.service
A rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
Log Message:
-----------
redhat: dynamic service file for vswitchd
This commit changes the service file from static configuration to an
autogenerated file, produced during the build. This will be relevant in a
future commit.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: e3e738a3d0580a9a7178adfc9300a193b8df4ae5
https://github.com/openvswitch/ovs/commit/e3e738a3d0580a9a7178adfc9300a193b8df4ae5
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M Documentation/intro/install/dpdk.rst
M NEWS
M rhel/README.RHEL.rst
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
Log Message:
-----------
redhat: allow dpdk to also run as non-root user
After this commit, users may start a dpdk-enabled ovs setup as a
non-root user. This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership. This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete. There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges. However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.
This does not change OvS+DPDK's SELinux requirements. It still must be
disabled.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/6b1babacc3ca...e3e738a3d058
More information about the git
mailing list