Hello community, here is the log from the commit of package openvswitch for openSUSE:Factory checked in at 2019-06-12 13:19:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvswitch (Old) and /work/SRC/openSUSE:Factory/.openvswitch.new.4811 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvswitch" Wed Jun 12 13:19:18 2019 rev:42 rq:709321 version:2.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/openvswitch/openvswitch.changes 2019-05-15 12:35:34.364341542 +0200 +++ /work/SRC/openSUSE:Factory/.openvswitch.new.4811/openvswitch.changes 2019-06-12 13:19:22.608549529 +0200 @@ -1,0 +2,7 @@ +Mon Jun 10 17:12:00 UTC 2019 - <[email protected]> + +- Add upstream patches to fix bsc#1135884: + * 0001-rhel-secure-openvswitch-useropts.patch + * 0002-rhel-let-ctl-handle-runtime-directory.patch + +------------------------------------------------------------------- New: ---- 0001-rhel-secure-openvswitch-useropts.patch 0002-rhel-let-ctl-handle-runtime-directory.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvswitch.spec ++++++ --- /var/tmp/diff_new_pack.esOGgO/_old 2019-06-12 13:19:23.180549268 +0200 +++ /var/tmp/diff_new_pack.esOGgO/_new 2019-06-12 13:19:23.184549266 +0200 @@ -55,6 +55,10 @@ Source89: Module.supported.updates # PATCH-FIX-OPENSUSE: Use-strongswan-for-openvswitch-ipsec-service.patch Patch0: 0001-Use-strongswan-for-openvswitch-ipsec-service.patch +# PATCH-FIX-UPSTREAM: 0001-rhel-secure-openvswitch-useropts.patch +Patch1: 0001-rhel-secure-openvswitch-useropts.patch +# PATCH-FIX-UPSTREAM: 0002-rhel-let-ctl-handle-runtime-directory.patch +Patch2: 0002-rhel-let-ctl-handle-runtime-directory.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: graphviz @@ -336,6 +340,8 @@ %prep %setup -q -n openvswitch-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build set -- * .travis* .mailmap .cirrus.yml @@ -903,6 +909,7 @@ %endif %attr(750,root,root) %dir %{_localstatedir}/log/openvswitch %ghost %attr(755,root,root) %{_rundir}/openvswitch +%ghost %attr(644,root,root) %{_rundir}/openvswitch.useropts %if %{with dpdk} %{_prefix}/lib/udev/rules.d/91-vfio.rules %endif ++++++ 0001-rhel-secure-openvswitch-useropts.patch ++++++ >From aec69da8a2385b3d1368b484aa247876fbc2018d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <[email protected]> Date: Wed, 8 May 2019 13:53:47 +0200 Subject: [PATCH 1/2] rhel: secure openvswitch useropts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The openvswitch useropts file is being stored in a directory where the openvswitch user has write permissions. The openvswitch user can then manipulate the file to change the user under which switchd daemon runs. This patch changes the file to /var/openvswitch.useropts preventing any manipulation. Signed-off-by: Jaime Caamaño Ruiz <[email protected]> Signed-off-by: Ben Pfaff <[email protected]> --- rhel/usr_lib_systemd_system_ovsdb-server.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 70da1ec95..0f9d936b3 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -11,8 +11,8 @@ Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch -ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi' -EnvironmentFile=-/run/openvswitch/useropts +ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi' +EnvironmentFile=-/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovs-vswitchd --no-monitor --system-id=random \ ${OVSUSER} \ -- 2.16.4 ++++++ 0002-rhel-let-ctl-handle-runtime-directory.patch ++++++ >From eb48aba90b582df6dd7d2798a34ac31f7ed68282 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <[email protected]> Date: Mon, 10 Jun 2019 14:58:10 +0200 Subject: [PATCH] rhel: let *-ctl handle runtime directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recent versions of systemd restores RuntimeDirectory ownership to the unit's User in between execution of *Exec directives (see [1]). Using ExecStartPre to reset RuntimeDirectory ownership to OVS_USER no longer works as expected. The ctl scripts already handle creation of the runtime directory with correct ownership and permissions so we can basically remove RuntimeDirectory from systemd unit file. There is still need to handle ownsership to cover some upgrade scenarios, but success of that will be optional as the directory itself wont exist at first time run. [1] https://github.com/systemd/systemd/issues/12713 Signed-off-by: Jaime Caamaño Ruiz <[email protected]> --- rhel/usr_lib_systemd_system_ovsdb-server.service | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 0f9d936b3..22c704561 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -10,7 +10,7 @@ Type=forking Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch -ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch +ExecStartPre=-/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi' EnvironmentFile=-/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ @@ -21,5 +21,3 @@ ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \ ${OVSUSER} \ --no-monitor restart $OPTIONS -RuntimeDirectory=openvswitch -RuntimeDirectoryMode=0755 -- 2.16.4
