[ovs-git] [openvswitch/ovs] 6796c0: rhel: don't drop capabilities when running as root

GitHub noreply at github.com
Tue Mar 27 21:32:20 UTC 2018

  Branch: refs/heads/branch-2.9
  Home:   https://github.com/openvswitch/ovs
  Commit: 6796c04a9afacf2d09248509d54d5ea586050a3c
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-03-27 (Tue, 27 Mar 2018)

  Changed paths:
    M rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
    M rhel/usr_lib_systemd_system_ovsdb-server.service

  Log Message:
  rhel: don't drop capabilities when running as root

Currently, regardless of which user is being set as the running user,
Open vSwitch daemons on RHEL systems drop capabilities.  This means the
very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.

For the majority of use cases this behavior works, as the user can
enable or disable various configurations, regardless of which datapath
functions are desired.  However, when using certain DPDK PMDs, the
enablement and configuration calls require CAP_SYS_ADMIN.

Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
nullify the uid/gid and privilege drop, we don't pass the --ovs-user
option to the daemons.  This shunts the capability and privilege
dropping code.

Reported-by: Marcos Felipe Schwarz <marcos.f.sch at gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
Signed-off-by: Aaron Conole <aconole at redhat.com>
Acked-By: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Russell Bryant <russell at ovn.org>

More information about the git mailing list