[ovs-git] [openvswitch/ovs] 7f8d03: redhat: allow arbitrary user:group
GitHub
noreply at github.com
Tue Aug 8 17:45:15 UTC 2017
Branch: refs/heads/branch-2.8
Home: https://github.com/openvswitch/ovs
Commit: 7f8d031836b0f39ec96f4d4cd5e09ae5227d5f89
https://github.com/openvswitch/ovs/commit/7f8d031836b0f39ec96f4d4cd5e09ae5227d5f89
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/automake.mk
A rhel/etc_openvswitch_default.conf
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovs-vswitchd.service
M rhel/usr_lib_systemd_system_ovsdb-server.service
M rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
Log Message:
-----------
redhat: allow arbitrary user:group
Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'. This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid. This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.
Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: 5f17ca81a4cb5848d4f07a6758162b82c3fecc28
https://github.com/openvswitch/ovs/commit/5f17ca81a4cb5848d4f07a6758162b82c3fecc28
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovsdb-server.service
Log Message:
-----------
redhat: dynamically allocate and reference ovs user
After this commit, the fedora RPM will create the openvswitch user, from the
non-static pool, for use as an Open vSwitch daemon user. This only happens
on install - not upgrade. This will be the default user:group
combination for the openvswitch daemons.
To do this in a way that doesn't impact existing installations, the
/etc/openvswitch directory will be created during the installation,
rather than being provided as part of the rpm.
Acked-by: Markos Chandras <mchandras at suse.de>
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: 9bf077b5c398cabc92312845f6a78b390821ecbd
https://github.com/openvswitch/ovs/commit/9bf077b5c398cabc92312845f6a78b390821ecbd
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M Makefile.am
A build-aux/dpdkstrip.pl
Log Message:
-----------
dpdkstrip: add a preprocessor tool for stripping dpdk blocks
Normally, in C code, pre-processing macros can be used to enable/disable
specific functionality based on switches passed to configure. This works
for DPDK using the --with-dpdk flag, which sets the DPDK_NETDEV define to
the appropriate value.
However, not all files are processed with the C pre-processor. For those
files which are not, this commit adds a new pre-processor tool for .in
files to either include or exclude those stanzas as appropriate.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: f98ba9fc5ae9fc16409afccf9a097837d69c17a8
https://github.com/openvswitch/ovs/commit/f98ba9fc5ae9fc16409afccf9a097837d69c17a8
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M rhel/.gitignore
M rhel/automake.mk
M rhel/openvswitch-fedora.spec.in
R rhel/usr_lib_systemd_system_ovs-vswitchd.service
A rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
Log Message:
-----------
redhat: dynamic service file for vswitchd
This commit changes the service file from static configuration to an
autogenerated file, produced during the build. This will be relevant in a
future commit.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Commit: b7ff4a4a917f06709220a138dfc0b6aeae6e6d5f
https://github.com/openvswitch/ovs/commit/b7ff4a4a917f06709220a138dfc0b6aeae6e6d5f
Author: aaron conole <aconole at redhat.com>
Date: 2017-08-08 (Tue, 08 Aug 2017)
Changed paths:
M Documentation/intro/install/dpdk.rst
M NEWS
M rhel/README.RHEL.rst
M rhel/openvswitch-fedora.spec.in
M rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
Log Message:
-----------
redhat: allow dpdk to also run as non-root user
After this commit, users may start a dpdk-enabled ovs setup as a
non-root user. This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership. This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete. There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges. However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.
This does not change OvS+DPDK's SELinux requirements. It still must be
disabled.
Signed-off-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/5734dbfca8cb...b7ff4a4a917f
More information about the git
mailing list