[ovs-dev] [PATCH 4/4] rhel: run ovn with the same user as ovs

Jaime Caamaño Ruiz Wed, 08 May 2019 04:56:55 -0700

Both ovn and ovs share the same log and run directories which are owned
by the user running ovs so it makes sense that ovn runs under that user
too to diminish security concerns and possible problems with log rotation.


Signed-off-by: Jaime Caamaño Ruiz <jcaam...@suse.com>
---
 rhel/usr_lib_systemd_system_ovn-controller-vtep.service | 2 ++
 rhel/usr_lib_systemd_system_ovn-controller.service      | 2 ++
 rhel/usr_lib_systemd_system_ovn-northd.service          | 6 +++++-
 rhel/usr_lib_systemd_system_ovs-vswitchd.service.in     | 4 ++--
 rhel/usr_lib_systemd_system_ovsdb-server.service        | 9 +++++----
 5 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service 
b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
index 5f69c57bb..b1e239f57 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
@@ -39,8 +39,10 @@ Restart=on-failure
 Environment=OVN_DB=unix:%t/openvswitch/ovnsb_db.sock
 Environment=VTEP_DB=unix:%t/openvswitch/db.sock
 EnvironmentFile=-/etc/sysconfig/ovn-controller-vtep
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \
           --db-sb-sock=${OVN_DB} --db-sock=${VTEP_DB} \
+          --ovn-user=${OVS_USER_ID} \
           start_controller_vtep
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller_vtep
 
diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service 
b/rhel/usr_lib_systemd_system_ovn-controller.service
index cf65988fe..335cd5a52 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller.service
@@ -24,7 +24,9 @@ Type=forking
 PIDFile=/var/run/openvswitch/ovn-controller.pid
 Restart=on-failure
 EnvironmentFile=-/etc/sysconfig/ovn-controller
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovn-ctl --no-monitor \
+          --ovn-user=${OVS_USER_ID} \
           start_controller $OVN_CONTROLLER_OPTS
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller
 
diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service 
b/rhel/usr_lib_systemd_system_ovn-northd.service
index 3c44600a0..ff510fbde 100644
--- a/rhel/usr_lib_systemd_system_ovn-northd.service
+++ b/rhel/usr_lib_systemd_system_ovn-northd.service
@@ -24,7 +24,11 @@ Type=oneshot
 RemainAfterExit=yes
 Environment=OVS_RUNDIR=%t/openvswitch OVS_DBDIR=/var/lib/openvswitch
 EnvironmentFile=-/etc/sysconfig/ovn-northd
-ExecStart=/usr/share/openvswitch/scripts/ovn-ctl start_northd $OVN_NORTHD_OPTS
+EnvironmentFile=/run/openvswitch.useropts
+ExecStartPre=/usr/bin/chown -R ${OVS_USER_ID} ${OVS_DBDIR}
+ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \
+          --ovs-user=${OVS_USER_ID} --ovn-user=${OVS_USER_ID} \
+          start_northd $OVN_NORTHD_OPTS
 ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_northd
 
 [Install]
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in 
b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index 87abe3a89..ff43dae96 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -22,11 +22,11 @@ ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
 @end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           restart $OPTIONS
 TimeoutSec=300
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service 
b/rhel/usr_lib_systemd_system_ovsdb-server.service
index d4b605a75..9bb37fd06 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -12,15 +12,16 @@ Restart=on-failure
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch 
/var/log/openvswitch
-ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ 
"$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo 
"OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
-EnvironmentFile=-/run/openvswitch.useropts
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; /usr/bin/echo 
"OVS_USER_ID=${OVS_USER_ID}" > /run/openvswitch.useropts'
+ExecStartPre=/bin/sh -c 'if [ "$${OVS_USER_ID/:*/}" != "root" ]; then 
/usr/bin/echo "OVS_USER_OPT=--ovs-user=${OVS_USER_ID}" >> 
/run/openvswitch.useropts; fi'
+EnvironmentFile=/run/openvswitch.useropts
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
-          ${OVSUSER} \
+          ${OVS_USER_OPT} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
-           ${OVSUSER} \
+           ${OVS_USER_OPT} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755
-- 
2.16.4

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH 4/4] rhel: run ovn with the same user as ovs

Reply via email to