Message ID | 1443738669-13577-1-git-send-email-fbl@redhat.com |
---|---|
State | Accepted |
Headers | show |
> Our default systemd unit files don't make use of the --user option that > requires this library, but conceivably someone may want to customize > them and use this option. Any down side if we change the unit files to make use of --user option by default, like how Apache runs?
On 10/01/2015 06:31 PM, Flavio Leitner wrote: > Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon) > added optional usage of the libcap-ng library. It's packaged in Fedora, > so go ahead and added it by default to the Fedora spec file. > > Our default systemd unit files don't make use of the --user option that > requires this library, but conceivably someone may want to customize > them and use this option. > > For those that don't want to use --user option, the Fedora package > offers an option (--without libcapng) to build the RPMs without it. > > Signed-off-by: Flavio Leitner <fbl@redhat.com> This patch looks good. Thanks for helping to flesh it out! Signed-off-by: Russell Bryant <rbryant@redhat.com>
On 10/01/2015 06:47 PM, Andy Zhou wrote: >> Our default systemd unit files don't make use of the --user option that >> requires this library, but conceivably someone may want to customize >> them and use this option. > > Any down side if we change the unit files to make use of --user option > by default, like how Apache runs? > I'm not sure ... probably not? I'd just want to test it out first. Also note that this version of the patch makes building with libcap-ng optional, so we can't simply just add it to the system unit. It'll need to be optional there, too.
On Thu, Oct 1, 2015 at 6:06 PM, Russell Bryant <rbryant@redhat.com> wrote: > On 10/01/2015 06:47 PM, Andy Zhou wrote: >>> Our default systemd unit files don't make use of the --user option that >>> requires this library, but conceivably someone may want to customize >>> them and use this option. >> >> Any down side if we change the unit files to make use of --user option >> by default, like how Apache runs? >> > > I'm not sure ... probably not? I'd just want to test it out first. > > Also note that this version of the patch makes building with libcap-ng > optional, so we can't simply just add it to the system unit. It'll need > to be optional there, too. > O.K. We can start with 2 packages and re-evaluate in the future.
On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote: > > Our default systemd unit files don't make use of the --user option that > > requires this library, but conceivably someone may want to customize > > them and use this option. > > Any down side if we change the unit files to make use of --user option > by default, like how Apache runs? Does OVS re-open any resources in run-time? ovs-appctl vlog/reopen for instance might break because of lack of permissions. SELinux might not like some operations being done with a different user. fbl
On Thu, Oct 01, 2015 at 09:03:47PM -0400, Russell Bryant wrote: > On 10/01/2015 06:31 PM, Flavio Leitner wrote: > > Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon) > > added optional usage of the libcap-ng library. It's packaged in Fedora, > > so go ahead and added it by default to the Fedora spec file. > > > > Our default systemd unit files don't make use of the --user option that > > requires this library, but conceivably someone may want to customize > > them and use this option. > > > > For those that don't want to use --user option, the Fedora package > > offers an option (--without libcapng) to build the RPMs without it. > > > > Signed-off-by: Flavio Leitner <fbl@redhat.com> Applied to master, thanks! > This patch looks good. Thanks for helping to flesh it out! > > Signed-off-by: Russell Bryant <rbryant@redhat.com> I converted that to an Acked-by.
On Fri, Oct 2, 2015 at 6:06 AM, Flavio Leitner <fbl@redhat.com> wrote: > On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote: >> > Our default systemd unit files don't make use of the --user option that >> > requires this library, but conceivably someone may want to customize >> > them and use this option. >> >> Any down side if we change the unit files to make use of --user option >> by default, like how Apache runs? > > Does OVS re-open any resources in run-time? > ovs-appctl vlog/reopen for instance might break because of lack of > permissions. Since daemon is doing the reopen, I'd think it should be O.K. > > SELinux might not like some operations being done with a different user. > I don't know much about SELinux. Just noticed that OVS package won't install on a RHEL 7 where SELinux is turned on by default. It would be good for OVS to co-exist with SELinux. Any input or guidance will be greatly appreciated. > fbl
On Fri, Oct 2, 2015 at 12:52 PM, Andy Zhou <azhou@nicira.com> wrote: > On Fri, Oct 2, 2015 at 6:06 AM, Flavio Leitner <fbl@redhat.com> wrote: >> On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote: >>> > Our default systemd unit files don't make use of the --user option that >>> > requires this library, but conceivably someone may want to customize >>> > them and use this option. >>> >>> Any down side if we change the unit files to make use of --user option >>> by default, like how Apache runs? >> >> Does OVS re-open any resources in run-time? >> ovs-appctl vlog/reopen for instance might break because of lack of >> permissions. > Since daemon is doing the reopen, I'd think it should be O.K. >> >> SELinux might not like some operations being done with a different user. >> > I don't know much about SELinux. Just noticed that OVS package won't > install on a RHEL 7 > where SELinux is turned on by default. It would be good for OVS to > co-exist with SELinux. > Any input or guidance will be greatly appreciated. I just sent out a patch that fixes SElinux "installation" issue on RHEL and CentOS: http://openvswitch.org/pipermail/dev/2015-October/060892.html However, I would not be surprised that that there is some more SElinux tuning required. > >> fbl > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 695f1d7..066086c 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -13,6 +13,10 @@ #%define kernel 2.6.40.4-5.fc15.x86_64 +# If libcap-ng isn't available and there is no need for running OVS +# as regular user, specify the '--without libcapng' +%bcond_without libcapng + # Enable PIE, bz#955181 %global _hardened_build 1 @@ -42,6 +46,9 @@ BuildRequires: desktop-file-utils BuildRequires: groff graphviz # make check dependencies BuildRequires: procps-ng +%if %{with libcapng} +BuildRequires: libcap-ng libcap-ng-devel +%endif Requires: openssl iproute module-init-tools #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3 @@ -104,7 +111,15 @@ overlays and security groups. %setup -q %build -%configure --enable-ssl --with-pkidir=%{_sharedstatedir}/openvswitch/pki +%configure \ +%if %{with libcapng} + --enable-libcapng \ +%else + --disable-libcapng \ +%endif + --enable-ssl \ + --with-pkidir=%{_sharedstatedir}/openvswitch/pki + make %{?_smp_mflags} %install
Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon) added optional usage of the libcap-ng library. It's packaged in Fedora, so go ahead and added it by default to the Fedora spec file. Our default systemd unit files don't make use of the --user option that requires this library, but conceivably someone may want to customize them and use this option. For those that don't want to use --user option, the Fedora package offers an option (--without libcapng) to build the RPMs without it. Signed-off-by: Flavio Leitner <fbl@redhat.com> --- rhel/openvswitch-fedora.spec.in | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)