Message ID | 1442969477-11026-1-git-send-email-azhou@nicira.com |
---|---|
State | Accepted |
Headers | show |
Forgot to tag those as V4 of series that add --user option. On Tue, Sep 22, 2015 at 5:51 PM, Andy Zhou <azhou@nicira.com> wrote: > Add configuration option for enabling or disabling linking with > libcap-ng. Since capabilities are a security feature, the libcapng > option is handled as follows: > > - no option: use libcapng if it's present > > --disable-libcapng: do not use libcapng > > --enable-libcapng: do use libcapng and fail configuration if > it's missing > > On Linux, not linking with libcapng makes all OVS daemons fail when > --user option is specified. > > Signed-off-by: Andy Zhou <azhou@nicira.com> > --- > INSTALL.md | 7 +++++++ > configure.ac | 1 + > lib/automake.mk | 1 + > m4/openvswitch.m4 | 36 ++++++++++++++++++++++++++++++++++++ > 4 files changed, 45 insertions(+) > > diff --git a/INSTALL.md b/INSTALL.md > index 9dac430..50ab6c7 100644 > --- a/INSTALL.md > +++ b/INSTALL.md > @@ -43,6 +43,13 @@ you will need the following software: > libssl is installed, then Open vSwitch will automatically build > with support for it. > > + - libcap-ng, written by Steve Grubb, is optional but recommended > + if you plan to user --user option for running Open vSwitch on > + Linux with kernel based datapath. libcap-ng is required to run > + OVS daemons as a non-root user with dropped root privileges. If > + libcap-ng is installed, then Open vSwitch will automatically > + build with support for it. > + > - Python 2.7. > > On Linux, you may choose to compile the kernel module that comes with > diff --git a/configure.ac b/configure.ac > index 36387a1..39055fe 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -91,6 +91,7 @@ OVS_CHECK_COVERAGE > OVS_CHECK_NDEBUG > OVS_CHECK_NETLINK > OVS_CHECK_OPENSSL > +OVS_CHECK_LIBCAPNG > OVS_CHECK_LOGDIR > OVS_CHECK_PYTHON > OVS_CHECK_DOT > diff --git a/lib/automake.mk b/lib/automake.mk > index 5fdd08f..d8c00da 100644 > --- a/lib/automake.mk > +++ b/lib/automake.mk > @@ -8,6 +8,7 @@ > lib_LTLIBRARIES += lib/libopenvswitch.la > > lib_libopenvswitch_la_LIBADD = $(SSL_LIBS) > +lib_libopenvswitch_la_LIBADD += $(CAPNG_LDADD) > > if WIN32 > lib_libopenvswitch_la_LIBADD += ${PTHREAD_LIBS} > diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 > index 087c7e5..a36e07d 100644 > --- a/m4/openvswitch.m4 > +++ b/m4/openvswitch.m4 > @@ -157,6 +157,42 @@ AC_DEFUN([OVS_CHECK_NETLINK], > [Define to 1 if Netlink protocol is available.]) > fi]) > > +dnl Checks for libcap-ng. > +AC_DEFUN([OVS_CHECK_LIBCAPNG], > + [AC_ARG_ENABLE( > + [libcapng], > + [AC_HELP_STRING([--disable-libcapng], [Disable Linux capability support])], > + [case "${enableval}" in > + (yes) libcapng=true ;; > + (no) libcapng=false ;; > + (*) AC_MSG_ERROR([bad value ${enableval} for --enable-libcapng]) ;; > + esac], > + [libcapng=check]) > + > + if test "$libcapng" != false; then > + AC_CHECK_LIB(cap-ng, [capng_clear], [HAVE_LIBCAPNG=yes]) > + > + if test "$HAVE_LIBCAPNG" != yes; then > + if test "$libcapng" == true ; then > + AC_MSG_ERROR([libcap-ng support requested, but not found]) > + fi > + if test "$libcapng" == check ; then > + AC_MSG_WARN([cannot find libcap-ng. > +--user option will not be supported on Linux. > +(you may use --disable-libcapng to suppress this warning). ]) > + fi > + fi > + fi > + > + AC_SUBST([HAVE_LIBCAPNG]) > + AM_CONDITIONAL([HAVE_LIBCAPNG], [test "$HAVE_LIBCAPNG" = yes]) > + if test "$HAVE_LIBCAPNG" = yes; then > + AC_DEFINE([HAVE_LIBCAPNG], [1], > + [Define to 1 if libcap-ng is available.]) > + CAPNG_LDADD="-lcap-ng" > + AC_SUBST([CAPNG_LDADD]) > + fi]) > + > dnl Checks for OpenSSL. > AC_DEFUN([OVS_CHECK_OPENSSL], > [AC_ARG_ENABLE( > -- > 1.9.1 >
On Tue, Sep 22, 2015 at 05:51:10PM -0700, Andy Zhou wrote: > Add configuration option for enabling or disabling linking with > libcap-ng. Since capabilities are a security feature, the libcapng > option is handled as follows: > > - no option: use libcapng if it's present > > --disable-libcapng: do not use libcapng > > --enable-libcapng: do use libcapng and fail configuration if > it's missing > > On Linux, not linking with libcapng makes all OVS daemons fail when > --user option is specified. > > Signed-off-by: Andy Zhou <azhou@nicira.com> Thanks for writing this! > + - libcap-ng, written by Steve Grubb, is optional but recommended > + if you plan to user --user option for running Open vSwitch on > + Linux with kernel based datapath. libcap-ng is required to run > + OVS daemons as a non-root user with dropped root privileges. If > + libcap-ng is installed, then Open vSwitch will automatically > + build with support for it. Maybe a little more straightforwardly: - libcap-ng, written by Steve Grubb, is optional but recommended. It is required to run OVS daemons as a non-root user with dropped root privileges. If libcap-ng is installed, then Open vSwitch will automatically build with support for it. In m4/openvswitch.m4, I see two uses of == with the "test" command. These should be "=". Also please quote cap-ng with [] here: + AC_CHECK_LIB(cap-ng, [capng_clear], [HAVE_LIBCAPNG=yes]) Acked-by: Ben Pfaff <blp@nicira.com>
On Tue, Sep 29, 2015 at 5:06 PM, Ben Pfaff <blp@nicira.com> wrote: > On Tue, Sep 22, 2015 at 05:51:10PM -0700, Andy Zhou wrote: >> Add configuration option for enabling or disabling linking with >> libcap-ng. Since capabilities are a security feature, the libcapng >> option is handled as follows: >> >> - no option: use libcapng if it's present >> >> --disable-libcapng: do not use libcapng >> >> --enable-libcapng: do use libcapng and fail configuration if >> it's missing >> >> On Linux, not linking with libcapng makes all OVS daemons fail when >> --user option is specified. >> >> Signed-off-by: Andy Zhou <azhou@nicira.com> > > Thanks for writing this! The commit message are mostly stolen from the review comments. So the reviewer should get the credits :-) > >> + - libcap-ng, written by Steve Grubb, is optional but recommended >> + if you plan to user --user option for running Open vSwitch on >> + Linux with kernel based datapath. libcap-ng is required to run >> + OVS daemons as a non-root user with dropped root privileges. If >> + libcap-ng is installed, then Open vSwitch will automatically >> + build with support for it. > > Maybe a little more straightforwardly: > > - libcap-ng, written by Steve Grubb, is optional but recommended. It > is required to run OVS daemons as a non-root user with dropped root > privileges. If libcap-ng is installed, then Open vSwitch will > automatically build with support for it. > > In m4/openvswitch.m4, I see two uses of == with the "test" command. > These should be "=". Also please quote cap-ng with [] here: > + AC_CHECK_LIB(cap-ng, [capng_clear], [HAVE_LIBCAPNG=yes]) > > Acked-by: Ben Pfaff <blp@nicira.com> Thanks for the review. Applied to master with changes suggested.
diff --git a/INSTALL.md b/INSTALL.md index 9dac430..50ab6c7 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -43,6 +43,13 @@ you will need the following software: libssl is installed, then Open vSwitch will automatically build with support for it. + - libcap-ng, written by Steve Grubb, is optional but recommended + if you plan to user --user option for running Open vSwitch on + Linux with kernel based datapath. libcap-ng is required to run + OVS daemons as a non-root user with dropped root privileges. If + libcap-ng is installed, then Open vSwitch will automatically + build with support for it. + - Python 2.7. On Linux, you may choose to compile the kernel module that comes with diff --git a/configure.ac b/configure.ac index 36387a1..39055fe 100644 --- a/configure.ac +++ b/configure.ac @@ -91,6 +91,7 @@ OVS_CHECK_COVERAGE OVS_CHECK_NDEBUG OVS_CHECK_NETLINK OVS_CHECK_OPENSSL +OVS_CHECK_LIBCAPNG OVS_CHECK_LOGDIR OVS_CHECK_PYTHON OVS_CHECK_DOT diff --git a/lib/automake.mk b/lib/automake.mk index 5fdd08f..d8c00da 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -8,6 +8,7 @@ lib_LTLIBRARIES += lib/libopenvswitch.la lib_libopenvswitch_la_LIBADD = $(SSL_LIBS) +lib_libopenvswitch_la_LIBADD += $(CAPNG_LDADD) if WIN32 lib_libopenvswitch_la_LIBADD += ${PTHREAD_LIBS} diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index 087c7e5..a36e07d 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -157,6 +157,42 @@ AC_DEFUN([OVS_CHECK_NETLINK], [Define to 1 if Netlink protocol is available.]) fi]) +dnl Checks for libcap-ng. +AC_DEFUN([OVS_CHECK_LIBCAPNG], + [AC_ARG_ENABLE( + [libcapng], + [AC_HELP_STRING([--disable-libcapng], [Disable Linux capability support])], + [case "${enableval}" in + (yes) libcapng=true ;; + (no) libcapng=false ;; + (*) AC_MSG_ERROR([bad value ${enableval} for --enable-libcapng]) ;; + esac], + [libcapng=check]) + + if test "$libcapng" != false; then + AC_CHECK_LIB(cap-ng, [capng_clear], [HAVE_LIBCAPNG=yes]) + + if test "$HAVE_LIBCAPNG" != yes; then + if test "$libcapng" == true ; then + AC_MSG_ERROR([libcap-ng support requested, but not found]) + fi + if test "$libcapng" == check ; then + AC_MSG_WARN([cannot find libcap-ng. +--user option will not be supported on Linux. +(you may use --disable-libcapng to suppress this warning). ]) + fi + fi + fi + + AC_SUBST([HAVE_LIBCAPNG]) + AM_CONDITIONAL([HAVE_LIBCAPNG], [test "$HAVE_LIBCAPNG" = yes]) + if test "$HAVE_LIBCAPNG" = yes; then + AC_DEFINE([HAVE_LIBCAPNG], [1], + [Define to 1 if libcap-ng is available.]) + CAPNG_LDADD="-lcap-ng" + AC_SUBST([CAPNG_LDADD]) + fi]) + dnl Checks for OpenSSL. AC_DEFUN([OVS_CHECK_OPENSSL], [AC_ARG_ENABLE(
Add configuration option for enabling or disabling linking with libcap-ng. Since capabilities are a security feature, the libcapng option is handled as follows: - no option: use libcapng if it's present --disable-libcapng: do not use libcapng --enable-libcapng: do use libcapng and fail configuration if it's missing On Linux, not linking with libcapng makes all OVS daemons fail when --user option is specified. Signed-off-by: Andy Zhou <azhou@nicira.com> --- INSTALL.md | 7 +++++++ configure.ac | 1 + lib/automake.mk | 1 + m4/openvswitch.m4 | 36 ++++++++++++++++++++++++++++++++++++ 4 files changed, 45 insertions(+)