On 10 Feb 2023, at 17:02, Vladislav Odintsov wrote:
> This patch adds new ovs-ctl options to pass umask configuration to allow
> OVS daemons set requested socket permissions on group. Previous
> behaviour (if using with systemd service unit) created sockets with 0750
> permissions mask (group has no write permission).
>
> Write permission for group is reasonable in usecase, where ovs-vswitchd
> or ovsdb-server runs as a non-privileged user:group (say,
> openvswitch:openvswitch) and it is needed to access unix socket from
> process running as another non-privileged user. In this case
> administrator has to add that user to openvswitch group and can connect
> to OVS sockets from a process running under that user.
>
> Two new ovs-ctl options --ovsdb-server-umask and --ovs-vswitchd-umask
> were added to manage umask values for appropriate daemons. This is
> useful for systemd users: both ovs-vswitchd and ovsdb-server systemd
> units read options from single /etc/sysconfig/openvswitch configuration
> file. So, with separate options it is possible to set umask only for
> specific daemon.
>
> OPTIONS="--ovsdb-server-umask=0002"
>
> in /etc/openvswitch/sysconfig file will set umask to 0002 value before
> starting only ovsdb-server, while
>
> OPTIONS="--ovs-vswitchd-umask=0002"
>
> will set umask to ovs-vswitchd daemon.
>
> Previous behaviour (not setting umask) is left as default.
>
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-dev/2023-January/401501.html
> Signed-off-by: Vladislav Odintsov <[email protected]>
Thanks for fixing this! The changes look good to me.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
