On Mon, Aug 06, 2018 at 08:33:46AM -0400, Aaron Conole wrote: > Timothy Redaelli <[email protected]> writes: > > > When ovsdb-server is starting, it performs some DB steps such as > > creating and upgrading the OvS DB. When we are running as > > 'non-root' user, the 'runuser' tool is used to manage the privileges. > > However, when this happens during systemd boot, we observe the following > > errors in journald: > > > > Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Failed to add PIDs to > > scope's control group: No such process > > Jun 21 07:32:57 virt systemd[1]: Failed to start Session c1 of user > > openvswitch. > > Jun 21 07:32:57 virt systemd[1]: session-c1.scope: Unit entered failed > > state. > > > > According to the analysis performed on openSUSE bugzilla[1], it seems > > that ovsdb-server.service creates (via the call to runuser) a user > > session and therefore call pam_systemd which in its turn tries to start > > a systemd user instance: "[email protected]". However "[email protected]" > > is supposed to be started after systemd-user-sessions.service which is > > supposed to be started after network.target. Additionally, > > ovsdb-server.service uses Before=network.target hence the deadlock. > > > > This commit uses "setpriv" instead of "runuser" to launch "ovsdb-tool" that > > doesn't use PAM and so it permits to launch "ovsdb-tool" as a user without > > having the deadlock. Since some old versions for "setpriv" (such as the > > one used by RHEL7) doesn't support the username / groupname, but only the > > user ids / group ids, "id" is used to get the user ID and the group IDs. > > To replicate the same behaviour of "runuser", the effective group ID of > > the user is used as GID (usually "openvswitch") and the remaining group > > IDs are used as supplementary groups (usually "hugetlbfs", if OVS is > > built with DPDK support). > > > > [1]: https://bugzilla.suse.com/show_bug.cgi?id=1098630 > > Reported-by: Markos Chandras <[email protected]> > > Reported-at: > > https://mail.openvswitch.org/pipermail/ovs-dev/2018-July/349716.html > > Co-authored-by: Aaron Conole <[email protected]> > > Signed-off-by: Timothy Redaelli <[email protected]> > > --- > > Thanks all. > > Signed-off-by: Aaron Conole <[email protected]>
Thanks, applied to master, backported as far 2.7. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
