[ovs-dev] [RFC v0 1/4] rhel: allow arbitrary user:group

Sun, 23 Apr 2017 07:23:10 -0700 

Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'.  This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid.  This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.

Signed-off-by: Aaron Conole <acon...@redhat.com>
---
 rhel/usr_lib_systemd_system_ovs-vswitchd.service              | 4 ++++
 rhel/usr_lib_systemd_system_ovsdb-server.service              | 5 +++++
 rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service 
b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
index 39627e9..0434d20 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
@@ -10,11 +10,15 @@ PartOf=openvswitch.service
 [Service]
 Type=forking
 Restart=on-failure
+Environment="OVS_USER_ID=root:root"
+EnvironmentFile=-/etc/sysconfig/openvswitch-pre
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           restart $OPTIONS
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service 
b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 68deace..8354087 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -8,12 +8,17 @@ PartOf=openvswitch.service
 [Service]
 Type=forking
 Restart=on-failure
+Environment="OVS_USER_ID=root:root"
+EnvironmentFile=-/etc/sysconfig/openvswitch-pre
 EnvironmentFile=-/etc/sysconfig/openvswitch
+ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
+           --ovs-user=${OVS_USER_ID} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755
diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template 
b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
index 3050a07..119dfe4 100644
--- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
+++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
@@ -21,3 +21,6 @@
 #   --ovsdb-server-wrapper=valgrind
 #
 OPTIONS=""
+
+# You may change the user:group below to run as a separate user
+#OVS_USER_ID="openvswitch:openvswitch"
-- 
2.9.3

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to