[ovs-git] [openvswitch/ovs] 89caad: utilities: Launch ovsdb-tool without using PAM
noreply at github.com
Mon Aug 6 22:19:56 UTC 2018
Author: Timothy Redaelli <tredaelli at redhat.com>
Date: 2018-08-06 (Mon, 06 Aug 2018)
utilities: Launch ovsdb-tool without using PAM
When ovsdb-server is starting, it performs some DB steps such as
creating and upgrading the OvS DB. When we are running as
'non-root' user, the 'runuser' tool is used to manage the privileges.
However, when this happens during systemd boot, we observe the following
errors in journald:
Jun 21 07:32:57 virt systemd: session-c1.scope: Failed to add PIDs to
scope's control group: No such process
Jun 21 07:32:57 virt systemd: Failed to start Session c1 of user openvswitch.
Jun 21 07:32:57 virt systemd: session-c1.scope: Unit entered failed state.
According to the analysis performed on openSUSE bugzilla, it seems
that ovsdb-server.service creates (via the call to runuser) a user
session and therefore call pam_systemd which in its turn tries to start
a systemd user instance: "user at 474.service". However "user at 474.service"
is supposed to be started after systemd-user-sessions.service which is
supposed to be started after network.target. Additionally,
ovsdb-server.service uses Before=network.target hence the deadlock.
This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that
doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without
having the deadlock. Since some old versions for "setpriv" (such as the
one used by RHEL7) doesn't support the username / groupname, but only the
user ids / group ids, "id" is used to get the user ID and the group IDs.
To replicate the same behaviour of "runuser", the effective group ID of
the user is used as GID (usually "openvswitch") and the remaining group
IDs are used as supplementary groups (usually "hugetlbfs", if OVS is
built with DPDK support).
Reported-by: Markos Chandras <mchandras at suse.de>
Co-authored-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Aaron Conole <aconole at redhat.com>
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git