@@ -27,6 +27,7 @@ Post-v2.4.0
- Add support for connection tracking through the new "ct" action
and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields. Only
available on Linux kernels with the connection tracking module loaded.
+ - Debain package starts daemons as the 'ovs' user.
v2.4.0 - 20 Aug 2015
@@ -8,6 +8,7 @@ EXTRA_DIST += \
debian/dkms.conf.in \
debian/dirs \
debian/openvswitch-common.dirs \
+ debian/openvswitch-common.postinst \
debian/openvswitch-common.docs \
debian/openvswitch-common.install \
debian/openvswitch-common.manpages \
@@ -60,6 +60,7 @@ Architecture: linux-any
Depends: openssl,
python,
python (>= 2.7) | python-argparse,
+ adduser,
${misc:Depends},
${shlibs:Depends}
Suggests: ethtool
new file mode 100755
@@ -0,0 +1,52 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ configure)
+ LOGDIR=/var/log/openvswitch
+ HOMEDIR=/var/run/openvswitch
+ # Create the ovs user and group.
+ if ! getent passwd ovs > /dev/null; then
+ echo 'Adding system-user for ovs' 1>&2
+ adduser --system --group --no-create-home --disabled-login \
+ --quiet --home $HOMEDIR $OVS_USER
+ adduser $OVS_USER adm || true
+ fi
+
+ # Fix ownership and permissions.
+ chown -R $OVS_USER:$OVS_GROUP $LOGDIR
+ chown -R $OVS_USER:$OVS_GROUP $HOMEDIR
+ chmod -R 0775 $HOMEDIR
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@ case "$1" in
if test ! -e /var/lib/openvswitch/pki; then
ovs-pki init
fi
+
+ chown -R $OVS_USER:$OVS_GROUP /var/lib/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -25,6 +25,9 @@
# the Open vSwitch kernel-based switch.
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
(test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0
. /usr/share/openvswitch/scripts/ovs-lib
@@ -64,6 +67,7 @@ start () {
if test X"$FORCE_COREFILES" != X; then
set "$@" --force-corefiles="$FORCE_COREFILES"
fi
+ set "$@" --run-as=$OVS_USER:$OVS_GROUP
set "$@" $OVS_CTL_OPTS
"$@" || exit $?
if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
@@ -1,7 +1,7 @@
/var/log/openvswitch/*.log {
daily
compress
- create 640 root adm
+ create 640 ovs adm
delaycompress
missingok
rotate 30
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,9 @@ case "$1" in
fi
done
fi
+
+ # fix owner and permissions for /etc/openvswitch.
+ chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -37,6 +37,8 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here
NAME=ovs-testcontroller # Introduce the short server's name here
DESC=ovs-testcontroller # Introduce a short description here
LOGDIR=/var/log/openvswitch # Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
PIDFILE=/var/run/openvswitch/$NAME.pid
@@ -109,7 +111,10 @@ start_server() {
fi
if [ ! -d /var/run/openvswitch ]; then
- install -d -m 755 -o root -g root /var/run/openvswitch
+ install -d -m 775 -o $OVS_USER -g $OVS_GROUP /var/run/openvswitch
+ else
+ chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+ chmod 0775 -R /var/run/openvswitch
fi
SSL_OPTS=
@@ -139,6 +144,7 @@ start_server() {
if [ -z "$DAEMONUSER" ] ; then
start-stop-daemon --start --pidfile $PIDFILE \
--exec $DAEMON -- --detach --pidfile=$PIDFILE \
+ --user $OVS_USER:$OVS_GROUP \
$LISTEN $DAEMON_OPTS $SSL_OPTS
errcode=$?
else
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@ case "$1" in
chmod go+r cert.pem req.pem
umask $oldumask
fi
+
+ chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch-testcontroller
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -10,6 +10,8 @@
# Description: Initializes the Open vSwitch VTEP emulator
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
# Include defaults if available
default=/etc/default/openvswitch-vtep
@@ -40,17 +42,22 @@ start () {
cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
fi
+ chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
+ chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+ chmod -R 0775 /var/run/openvswitch
+
ovsdb-server --pidfile --detach --log-file --remote \
punix:/var/run/openvswitch/db.sock \
--remote=db:hardware_vtep,Global,managers \
--private-key=/etc/openvswitch/ovsclient-privkey.pem \
--certificate=/etc/openvswitch/ovsclient-cert.pem \
--bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+ --user $OVS_USER:$OVS_GROUP \
/etc/openvswitch/conf.db /etc/openvswitch/vtep.db
modprobe openvswitch
- ovs-vswitchd --pidfile --detach --log-file \
+ ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
unix:/var/run/openvswitch/db.sock
}