After this commit, users may start a dpdk-enabled ovs setup as a non-root user. This is accomplished by exporting the $HOME directory, which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages as part of starting the ovs-vswitchd to set a hugetlbfs group ownership. This is used to enable writing to /dev/hugepages so that the dpdk_init will successfully complete. There is an alternate way of accomplishing this - namely to initialize DPDK before dropping privileges. However, this would mean that if DPDK ever grows an uninit / reinit function, non-root ovs likely could never use it. This does not change OvS+DPDK's SELinux requirements. It still must be disabled. Signed-off-by: Aaron Conole <[email protected]> --- Documentation/intro/install/dpdk.rst | 7 +++++++ NEWS | 1 + rhel/README.RHEL.rst | 11 +++++++++++ rhel/openvswitch-fedora.spec.in | 13 +++++++++++++ rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 5 +++++ 5 files changed, 37 insertions(+) diff --git a/Documentation/intro/install/dpdk.rst b/Documentation/intro/install/dpdk.rst index a05aa1a..0585c6a 100644 --- a/Documentation/intro/install/dpdk.rst +++ b/Documentation/intro/install/dpdk.rst @@ -134,6 +134,13 @@ has to be configured with DPDK support (``--with-dpdk``). Additional information can be found in :doc:`general`. +.. note:: + If you are running using the Fedora or Red Hat package, the Open vSwitch + daemon will run as a non-root user. This implies that you must have a + working IOMMU. Visit the `RHEL README`__ for additional information. + +__ https://github.com/openvswitch/ovs/blob/master/rhel/README.RHEL.rst + Setup ----- diff --git a/NEWS b/NEWS index facea02..095272a 100644 --- a/NEWS +++ b/NEWS @@ -64,6 +64,7 @@ Post-v2.7.0 * OpenFlow 1.5 packet-out is now supported. - Fedora Packaging: * OVN services are no longer restarted automatically after upgrade. + * ovs-vswitchd and ovsdb-server run as non-root users by default. - Add --cleanup option to command 'ovs-appctl exit' (see ovs-vswitchd(8)). - L3 tunneling: * Use new tunnel port option "packet_type" to configure L2 vs. L3. diff --git a/rhel/README.RHEL.rst b/rhel/README.RHEL.rst index 1845e8f..5f7a99a 100644 --- a/rhel/README.RHEL.rst +++ b/rhel/README.RHEL.rst @@ -337,6 +337,17 @@ running. All other commands where executed when Open vSwitch was successfully running. +Non-root User Support +----------------------- +Fedora and RHEL support running the Open vSwitch daemons as a non-root user. +By default, a fresh installation will create an *openvswitch* user, along +with any additional support groups needed (such as *hugetlbfs* for DPDK +support). + +This is controlled by modifying the ``OVS_USER_ID`` option. Setting this +to 'root:root', or commenting the variable out will revert this behavior. + + Reporting Bugs -------------- diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 959aa2e..ccf6ea0 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -95,6 +95,10 @@ Requires: openssl hostname iproute module-init-tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/useradd Requires(post): /usr/bin/sed +%if %{with dpdk} +Requires(post): /usr/sbin/usermod +Requires(post): /usr/sbin/groupadd +%endif Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -370,6 +374,15 @@ if [ $1 -eq 1 ]; then sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch +%if %{with dpdk} + getent group hugetlbfs >/dev/null || \ + groupadd hugetlbfs + usermod -a -G hugetlbfs openvswitch + sed -i \ + 's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\ + /etc/sysconfig/openvswitch +%endif + # In the case of upgrade, this is not needed. chown -R openvswitch:openvswitch /etc/openvswitch fi diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index 9aff70b..bf0f058 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -10,8 +10,13 @@ PartOf=openvswitch.service [Service] Type=forking Restart=on-failure +Environment=HOME=/var/run/openvswitch EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch +@begin_dpdk@ +ExecStartPre=/usr/bin/chown :hugetlbfs /dev/hugepages +ExecStartPre=/usr/bin/chmod 0775 /dev/hugepages +@end_dpdk@ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ --ovs-user=${OVS_USER_ID} \ -- 2.9.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
