Marcos Felipe Schwarz <[email protected]> writes:
> Thanks for the suggestion Timothy, didn't knew that worked. Just
> fixing some little things, it should be:
> ExecStartPre=-/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages
>
> Regarding the daemon-unix.c patch, any suggestions on how to improve
> it? I tested it is working, but currently, I'm not aware if the new
> capability should be set separeted as I did or using any of the
> current blocks of code.
One thing that might work is to not attempt switching users and
capabilities if the current user is the target user.
ex:
@@ -1047,5 +1047,6 @@ daemon_set_new_user(const char *user_spec)
}
}
- switch_user = true;
+ if (!uid_verify(uid) || !gid_verify(gid))
+ switch_user = true;
}
NOTE: this isn't compile or runtime tested, just a thought.
> Regards,
>
> Marcos Schwarz
>
> ----- Original Message -----
> From: "Timothy Redaelli" <[email protected]>
> To: "Marcos Felipe Schwarz" <[email protected]>
> Cc: "Ben Pfaff" <[email protected]>, [email protected]
> Sent: Monday, January 8, 2018 9:20:17 AM
> Subject: Re: [ovs-discuss] DPDK with UIO drivers is broken on Fedora since
> OVS 2.8.0
>
> On Sat, Jan 6, 2018 at 2:41 AM, Marcos Felipe Schwarz
> <[email protected]> wrote:
>> Got it fixed.
>>
>> The problem was related to not setting the CAP_SYS_ADMIN capability at
>> daemon-unix.c. Follows the patch bellow to set the capability and
>> dynamically extract the group from OVS_USER_ID instead of forcing it to
>> :hugetlbfs.
>>
>> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
>> index 839114f3e..3b94164ea 100644
>> --- a/lib/daemon-unix.c
>> +++ b/lib/daemon-unix.c
>> @@ -818,6 +818,9 @@ daemon_become_new_user_linux(bool access_datapath
>> OVS_UNUSED)
>> ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
>> || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW);
>> }
>> + if (!ret) {
>> + ret = capng_update(CAPNG_ADD, cap_sets, CAP_SYS_ADMIN);
>> + }
>> } else {
>> ret = -1;
>> }
>> diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
>> b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
>> index c6d9aa1b8..94290a847 100644
>> --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
>> +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
>> @@ -14,7 +14,7 @@ Environment=HOME=/var/run/openvswitch
>> EnvironmentFile=/etc/openvswitch/default.conf
>> EnvironmentFile=-/etc/sysconfig/openvswitch
>> @begin_dpdk@
>> -ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages
>> +ExecStartPre=-/bin/sh -c 'chown :$(echo $OVS_USER_ID | tr ":" "\n" | tail
>> -1) /dev/hugepages'
>
> I think it's better to avoid using multiple useless forks, shell
> script parameter expansion are better in this case:
>
> ExecStartPre=-/bin/sh -c '/usr/bin/chown $${OVS_USER_ID##*:} /dev/hugepages'
>
>> ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
>> @end_dpdk@
>> ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
>>
>> Regards,
>>
>> Marcos Schwarz
> _______________________________________________
> discuss mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
