| Message ID | 20170603151001.19716-5-aconole@redhat.com |
|---|---|
| State | Superseded |
| Headers | show |
On 03/06/17 16:09, Aaron Conole wrote: > Under rpm based distributions, the only user:group that the rhel daemons run > as is 'root:root'. This is fine as a default, but as part of a security > procedure, users may want to run as an alternate uid/gid. This commit > adds an OVS_USER_ID environment variable for systemd, which defaults to > root:root, but can be overridden by changing the /etc/sysconfig/openvswitch > environment file. > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- I think it looks reasonable Reviewed-by: Markos Chandras <mchandras@suse.de>
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service b/rhel/usr_lib_systemd_system_ovs-vswitchd.service index 39627e9..d63bf4d 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service @@ -10,11 +10,14 @@ PartOf=openvswitch.service [Service] Type=forking Restart=on-failure +Environment="OVS_USER_ID=root:root" EnvironmentFile=-/etc/sysconfig/openvswitch ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ + --ovs-user=${OVS_USER_ID} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \ --no-monitor --system-id=random \ + --ovs-user=${OVS_USER_ID} \ restart $OPTIONS diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 68deace..67b50c8 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -8,12 +8,15 @@ PartOf=openvswitch.service [Service] Type=forking Restart=on-failure +Environment="OVS_USER_ID=root:root" EnvironmentFile=-/etc/sysconfig/openvswitch ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovs-vswitchd --no-monitor --system-id=random \ + --ovs-user=${OVS_USER_ID} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \ + --ovs-user=${OVS_USER_ID} \ --no-monitor restart $OPTIONS RuntimeDirectory=openvswitch RuntimeDirectoryMode=0755 diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template index 3050a07..fdaee00 100644 --- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template +++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template @@ -21,3 +21,6 @@ # --ovsdb-server-wrapper=valgrind # OPTIONS="" + +# Uncomment and set the OVS User/Group value +#OVS_USER_ID="openvswitch:openvswitch"
Under rpm based distributions, the only user:group that the rhel daemons run as is 'root:root'. This is fine as a default, but as part of a security procedure, users may want to run as an alternate uid/gid. This commit adds an OVS_USER_ID environment variable for systemd, which defaults to root:root, but can be overridden by changing the /etc/sysconfig/openvswitch environment file. Signed-off-by: Aaron Conole <aconole@redhat.com> --- rhel/usr_lib_systemd_system_ovs-vswitchd.service | 3 +++ rhel/usr_lib_systemd_system_ovsdb-server.service | 3 +++ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template | 3 +++ 3 files changed, 9 insertions(+)