On 2/10/23 17:02, Vladislav Odintsov wrote:
> This patch adds new ovs-ctl options to pass umask configuration to allow
> OVS daemons set requested socket permissions on group. Previous
> behaviour (if using with systemd service unit) created sockets with 0750
> permissions mask (group has no write permission).
>
> Write permission for group is reasonable in usecase, where ovs-vswitchd
> or ovsdb-server runs as a non-privileged user:group (say,
> openvswitch:openvswitch) and it is needed to access unix socket from
> process running as another non-privileged user. In this case
> administrator has to add that user to openvswitch group and can connect
> to OVS sockets from a process running under that user.
>
> Two new ovs-ctl options --ovsdb-server-umask and --ovs-vswitchd-umask
> were added to manage umask values for appropriate daemons. This is
> useful for systemd users: both ovs-vswitchd and ovsdb-server systemd
> units read options from single /etc/sysconfig/openvswitch configuration
> file. So, with separate options it is possible to set umask only for
> specific daemon.
>
> OPTIONS="--ovsdb-server-umask=0002"
>
> in /etc/openvswitch/sysconfig file will set umask to 0002 value before
> starting only ovsdb-server, while
>
> OPTIONS="--ovs-vswitchd-umask=0002"
>
> will set umask to ovs-vswitchd daemon.
>
> Previous behaviour (not setting umask) is left as default.
>
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-dev/2023-January/401501.html
> Signed-off-by: Vladislav Odintsov <[email protected]>
>
> ---
> v2 -> v3:
> - addressed Eelco's review comments.
>
> v1 -> v2:
> - added item in NEWS file as Ilya's suggestion;
> - addressed Eelco's review comments;
> - moved umask call from ovs-ctl to ovs-lib;
> - added restoration of umask to effective value before the umask change;
> - previous version --ovs-umask option was split into two:
> --ovs-vswitchd-umask and --ovsdb-server-umask in order to make
> possible umask configuration for specific daemon when running with
> systemd.
> ---
> NEWS | 7 +++++++
> utilities/ovs-ctl.in | 16 ++++++++++++----
> utilities/ovs-lib.in | 17 ++++++++++++++---
> 3 files changed, 33 insertions(+), 7 deletions(-)
>
> diff --git a/NEWS b/NEWS
> index fe6055a27..f7df598bd 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -4,6 +4,13 @@ Post-v3.1.0
> * OVS now collects per-interface upcall statistics that can be obtained
> via 'ovs-appctl dpctl/show -s' or the interface's statistics column
> in OVSDB. Available with upstream kernel 6.2+.
> + - ovs-ctl:
> + * Added support to set umask value when starting OVS daemons. New
> options
> + --ovsdb-server-umask=MODE and --ovs-vswitchd-umask=MODE were added for
> + that. For instance, when write access on befalf of OVS group is
> needed
> + for ovsdb-server, pass --ovsdb-umask=0002. Use --vswitchd-umask to
> set
> + umask ovs-vswitchd daemon umask. This will allow ovsdb-server or
> + ovs-vswitchd to create sockets with access mode of 0770.
The options in the example are incorrect.
Also, the text seems slightly too extensive.
What do you think about this:
- ovs-ctl:
* Added new options --[ovsdb-server|ovs-vswitchd]-umask=MODE to set umask
value when starting OVS daemons. E.g., use --ovsdb-server-umask=0002
in order to create OVSDB sockets with access mode of 0770.
?
I could fold this in while applying the change.
Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
