[ovs-dev] redhat: Create /etc/openvswitch/* with openvswitch as user/group

Without this commit is not possible to upgrade an openvswitch release
that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
starts with the user openvswitch and so it doesn't have permissions to write in
/etc/openvswitch/conf.db.

This patch tell rpm to use the openvswitch user and group for
/etc/openvswitch and /etc/openvswitch/default.conf.

Reported-by: Mark Michelson <mmichels@redhat.com>
CC: aaron conole <aconole@redhat.com>
Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
---
 rhel/openvswitch-fedora.spec.in | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

On Wed, Nov 29, 2017 at 10:47 AM Timothy Redaelli <tredaelli@redhat.com>
wrote:

> Without this commit is not possible to upgrade an openvswitch release
> that includes the commit ac416a3ab2d2 (for example 2.8.0) with another
> release
> that includes the commit ac416a3ab2d2 (for example master or 2.8.1),
> because
> rpm changes the user/group of /etc/openvswitch to root/root, but
> ovsdb-server
> starts with the user openvswitch and so it doesn't have permissions to
> write in
> /etc/openvswitch/conf.db.
>
> This patch tell rpm to use the openvswitch user and group for
> /etc/openvswitch and /etc/openvswitch/default.conf.
>
> Reported-by: Mark Michelson <mmichels@redhat.com>
> CC: aaron conole <aconole@redhat.com>
> Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
> Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
>

Tested-by: Mark Michelson <mmichels@redhat.com>


> ---
>  rhel/openvswitch-fedora.spec.in | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
> openvswitch-fedora.spec.in
> index e600a943c..ed991cf07 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -519,15 +519,16 @@ fi
>  %{_includedir}/ovn/*
>
>  %files
> -%defattr(-,root,root)
> -%{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash
> -%{_sysconfdir}/bash_completion.d/ovs-vsctl-bashcomp.bash
> +%defattr(-,openvswitch,openvswitch)
>  %dir %{_sysconfdir}/openvswitch
>  %{_sysconfdir}/openvswitch/default.conf
>  %config %ghost %{_sysconfdir}/openvswitch/conf.db
>  %ghost %{_sysconfdir}/openvswitch/.conf.db.~lock~
>  %config %ghost %{_sysconfdir}/openvswitch/system-id.conf
>  %config(noreplace) %{_sysconfdir}/sysconfig/openvswitch
> +%defattr(-,root,root)
> +%{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash
> +%{_sysconfdir}/bash_completion.d/ovs-vsctl-bashcomp.bash
>  %config(noreplace) %{_sysconfdir}/logrotate.d/openvswitch
>  %{_unitdir}/openvswitch.service
>  %{_unitdir}/ovsdb-server.service
> --
> 2.14.3
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

Timothy Redaelli <tredaelli@redhat.com> writes:

> Without this commit is not possible to upgrade an openvswitch release
> that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
> that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
> rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
> starts with the user openvswitch and so it doesn't have permissions to write in
> /etc/openvswitch/conf.db.
>
> This patch tell rpm to use the openvswitch user and group for
> /etc/openvswitch and /etc/openvswitch/default.conf.
>
> Reported-by: Mark Michelson <mmichels@redhat.com>
> CC: aaron conole <aconole@redhat.com>
> Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
> Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> ---

Ugh.  I guess this is only a problem if you install ovs 2.8, and then
upgrade before creating the database?

Regardless

Acked-by: Aaron Conole <aconole@redhat.com>

On Wed, Nov 29, 2017 at 05:46:53PM +0100, Timothy Redaelli wrote:
> Without this commit is not possible to upgrade an openvswitch release
> that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
> that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
> rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
> starts with the user openvswitch and so it doesn't have permissions to write in
> /etc/openvswitch/conf.db.
> 
> This patch tell rpm to use the openvswitch user and group for
> /etc/openvswitch and /etc/openvswitch/default.conf.
> 
> Reported-by: Mark Michelson <mmichels@redhat.com>
> CC: aaron conole <aconole@redhat.com>
> Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
> Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>

Applied to master, thanks!

Does this need backporting?

On Wed, Nov 29, 2017 at 10:54 AM Aaron Conole <aconole@redhat.com> wrote:

> Timothy Redaelli <tredaelli@redhat.com> writes:
>
> > Without this commit is not possible to upgrade an openvswitch release
> > that includes the commit ac416a3ab2d2 (for example 2.8.0) with another
> release
> > that includes the commit ac416a3ab2d2 (for example master or 2.8.1),
> because
> > rpm changes the user/group of /etc/openvswitch to root/root, but
> ovsdb-server
> > starts with the user openvswitch and so it doesn't have permissions to
> write in
> > /etc/openvswitch/conf.db.
> >
> > This patch tell rpm to use the openvswitch user and group for
> > /etc/openvswitch and /etc/openvswitch/default.conf.
> >
> > Reported-by: Mark Michelson <mmichels@redhat.com>
> > CC: aaron conole <aconole@redhat.com>
> > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs
> user")
> > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> > ---
>
> Ugh.  I guess this is only a problem if you install ovs 2.8, and then
> upgrade before creating the database?
>
> Regardless
>
> Acked-by: Aaron Conole <aconole@redhat.com>
>

Nope, in my case I was installing OVS 2.8.0, starting openvswitch,
ovn-central, and ovn-controller services. I added information to the
external_ids column of the open_vswitch table so that the ovn-controller
could connect to the OVN southbound database. I ensured that ovn-sbctl
reported the chassis as expected.

Then I performed the upgrade. After upgrading the RPMs, /etc/openvswitch's
ownership had changed from openvswitch:openvswitch to root:root.
Attempting to restart the ovs-vswitchd service at this point failed.

On Wed, Nov 29, 2017 at 11:06 AM Ben Pfaff <blp@ovn.org> wrote:

> On Wed, Nov 29, 2017 at 05:46:53PM +0100, Timothy Redaelli wrote:
> > Without this commit is not possible to upgrade an openvswitch release
> > that includes the commit ac416a3ab2d2 (for example 2.8.0) with another
> release
> > that includes the commit ac416a3ab2d2 (for example master or 2.8.1),
> because
> > rpm changes the user/group of /etc/openvswitch to root/root, but
> ovsdb-server
> > starts with the user openvswitch and so it doesn't have permissions to
> write in
> > /etc/openvswitch/conf.db.
> >
> > This patch tell rpm to use the openvswitch user and group for
> > /etc/openvswitch and /etc/openvswitch/default.conf.
> >
> > Reported-by: Mark Michelson <mmichels@redhat.com>
> > CC: aaron conole <aconole@redhat.com>
> > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs
> user")
> > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
>
> Applied to master, thanks!
>
> Does this need backporting?
>

Yes, this needs to go in 2.8 as well. 2.7 and below are unaffected. Thank
you.

Mark Michelson <mmichels@redhat.com> writes:

> On Wed, Nov 29, 2017 at 10:54 AM Aaron Conole <aconole@redhat.com> wrote:
>
>  Timothy Redaelli <tredaelli@redhat.com> writes:
>
>  > Without this commit is not possible to upgrade an openvswitch release
>  > that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
>  > that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
>  > rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
>  > starts with the user openvswitch and so it doesn't have permissions to write in
>  > /etc/openvswitch/conf.db.
>  >
>  > This patch tell rpm to use the openvswitch user and group for
>  > /etc/openvswitch and /etc/openvswitch/default.conf.
>  >
>  > Reported-by: Mark Michelson <mmichels@redhat.com>
>  > CC: aaron conole <aconole@redhat.com>
>  > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
>  > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
>  > ---
>
>  Ugh.  I guess this is only a problem if you install ovs 2.8, and then
>  upgrade before creating the database?
>
>  Regardless
>
>  Acked-by: Aaron Conole <aconole@redhat.com>
>
> Nope, in my case I was installing OVS 2.8.0, starting openvswitch, ovn-central, and ovn-controller
> services. I added information to the external_ids column of the open_vswitch table so that the
> ovn-controller could connect to the OVN southbound database. I ensured that ovn-sbctl reported the
> chassis as expected.
>
> Then I performed the upgrade. After upgrading the RPMs, /etc/openvswitch's ownership had changed
> from openvswitch:openvswitch to root:root.  Attempting to restart the ovs-vswitchd service at this point
> failed.

Ouch.  I thought I had confirmed the ability to upgrade again... somehow
I guess my testing wasn't sufficient.

Thanks Mark and Timothy.

On Wed, Nov 29, 2017 at 12:10:42PM -0500, Aaron Conole wrote:
> Mark Michelson <mmichels@redhat.com> writes:
> 
> > On Wed, Nov 29, 2017 at 10:54 AM Aaron Conole <aconole@redhat.com> wrote:
> >
> >  Timothy Redaelli <tredaelli@redhat.com> writes:
> >
> >  > Without this commit is not possible to upgrade an openvswitch release
> >  > that includes the commit ac416a3ab2d2 (for example 2.8.0) with another release
> >  > that includes the commit ac416a3ab2d2 (for example master or 2.8.1), because
> >  > rpm changes the user/group of /etc/openvswitch to root/root, but ovsdb-server
> >  > starts with the user openvswitch and so it doesn't have permissions to write in
> >  > /etc/openvswitch/conf.db.
> >  >
> >  > This patch tell rpm to use the openvswitch user and group for
> >  > /etc/openvswitch and /etc/openvswitch/default.conf.
> >  >
> >  > Reported-by: Mark Michelson <mmichels@redhat.com>
> >  > CC: aaron conole <aconole@redhat.com>
> >  > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs user")
> >  > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> >  > ---
> >
> >  Ugh.  I guess this is only a problem if you install ovs 2.8, and then
> >  upgrade before creating the database?
> >
> >  Regardless
> >
> >  Acked-by: Aaron Conole <aconole@redhat.com>
> >
> > Nope, in my case I was installing OVS 2.8.0, starting openvswitch, ovn-central, and ovn-controller
> > services. I added information to the external_ids column of the open_vswitch table so that the
> > ovn-controller could connect to the OVN southbound database. I ensured that ovn-sbctl reported the
> > chassis as expected.
> >
> > Then I performed the upgrade. After upgrading the RPMs, /etc/openvswitch's ownership had changed
> > from openvswitch:openvswitch to root:root.  Attempting to restart the ovs-vswitchd service at this point
> > failed.
> 
> Ouch.  I thought I had confirmed the ability to upgrade again... somehow
> I guess my testing wasn't sufficient.

Now I'm concerned.  Should I not have applied this?  Does it need a
revert?

On Wed, Nov 29, 2017 at 11:15 AM Ben Pfaff <blp@ovn.org> wrote:

> On Wed, Nov 29, 2017 at 12:10:42PM -0500, Aaron Conole wrote:
> > Mark Michelson <mmichels@redhat.com> writes:
> >
> > > On Wed, Nov 29, 2017 at 10:54 AM Aaron Conole <aconole@redhat.com>
> wrote:
> > >
> > >  Timothy Redaelli <tredaelli@redhat.com> writes:
> > >
> > >  > Without this commit is not possible to upgrade an openvswitch
> release
> > >  > that includes the commit ac416a3ab2d2 (for example 2.8.0) with
> another release
> > >  > that includes the commit ac416a3ab2d2 (for example master or
> 2.8.1), because
> > >  > rpm changes the user/group of /etc/openvswitch to root/root, but
> ovsdb-server
> > >  > starts with the user openvswitch and so it doesn't have permissions
> to write in
> > >  > /etc/openvswitch/conf.db.
> > >  >
> > >  > This patch tell rpm to use the openvswitch user and group for
> > >  > /etc/openvswitch and /etc/openvswitch/default.conf.
> > >  >
> > >  > Reported-by: Mark Michelson <mmichels@redhat.com>
> > >  > CC: aaron conole <aconole@redhat.com>
> > >  > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference
> ovs user")
> > >  > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> > >  > ---
> > >
> > >  Ugh.  I guess this is only a problem if you install ovs 2.8, and then
> > >  upgrade before creating the database?
> > >
> > >  Regardless
> > >
> > >  Acked-by: Aaron Conole <aconole@redhat.com>
> > >
> > > Nope, in my case I was installing OVS 2.8.0, starting openvswitch,
> ovn-central, and ovn-controller
> > > services. I added information to the external_ids column of the
> open_vswitch table so that the
> > > ovn-controller could connect to the OVN southbound database. I ensured
> that ovn-sbctl reported the
> > > chassis as expected.
> > >
> > > Then I performed the upgrade. After upgrading the RPMs,
> /etc/openvswitch's ownership had changed
> > > from openvswitch:openvswitch to root:root.  Attempting to restart the
> ovs-vswitchd service at this point
> > > failed.
> >
> > Ouch.  I thought I had confirmed the ability to upgrade again... somehow
> > I guess my testing wasn't sufficient.
>
> Now I'm concerned.  Should I not have applied this?  Does it need a
> revert?
>

No need to revert. There was just confusion over what needed to be done in
order to trigger the issue that is fixed by this patch.

On Wed, Nov 29, 2017 at 05:08:26PM +0000, Mark Michelson wrote:
> On Wed, Nov 29, 2017 at 11:06 AM Ben Pfaff <blp@ovn.org> wrote:
> 
> > On Wed, Nov 29, 2017 at 05:46:53PM +0100, Timothy Redaelli wrote:
> > > Without this commit is not possible to upgrade an openvswitch release
> > > that includes the commit ac416a3ab2d2 (for example 2.8.0) with another
> > release
> > > that includes the commit ac416a3ab2d2 (for example master or 2.8.1),
> > because
> > > rpm changes the user/group of /etc/openvswitch to root/root, but
> > ovsdb-server
> > > starts with the user openvswitch and so it doesn't have permissions to
> > write in
> > > /etc/openvswitch/conf.db.
> > >
> > > This patch tell rpm to use the openvswitch user and group for
> > > /etc/openvswitch and /etc/openvswitch/default.conf.
> > >
> > > Reported-by: Mark Michelson <mmichels@redhat.com>
> > > CC: aaron conole <aconole@redhat.com>
> > > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference ovs
> > user")
> > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> >
> > Applied to master, thanks!
> >
> > Does this need backporting?
> >
> 
> Yes, this needs to go in 2.8 as well. 2.7 and below are unaffected. Thank
> you.

Backported to 2.8.

On Wed, Nov 29, 2017 at 05:29:26PM +0000, Mark Michelson wrote:
> On Wed, Nov 29, 2017 at 11:15 AM Ben Pfaff <blp@ovn.org> wrote:
> 
> > On Wed, Nov 29, 2017 at 12:10:42PM -0500, Aaron Conole wrote:
> > > Mark Michelson <mmichels@redhat.com> writes:
> > >
> > > > On Wed, Nov 29, 2017 at 10:54 AM Aaron Conole <aconole@redhat.com>
> > wrote:
> > > >
> > > >  Timothy Redaelli <tredaelli@redhat.com> writes:
> > > >
> > > >  > Without this commit is not possible to upgrade an openvswitch
> > release
> > > >  > that includes the commit ac416a3ab2d2 (for example 2.8.0) with
> > another release
> > > >  > that includes the commit ac416a3ab2d2 (for example master or
> > 2.8.1), because
> > > >  > rpm changes the user/group of /etc/openvswitch to root/root, but
> > ovsdb-server
> > > >  > starts with the user openvswitch and so it doesn't have permissions
> > to write in
> > > >  > /etc/openvswitch/conf.db.
> > > >  >
> > > >  > This patch tell rpm to use the openvswitch user and group for
> > > >  > /etc/openvswitch and /etc/openvswitch/default.conf.
> > > >  >
> > > >  > Reported-by: Mark Michelson <mmichels@redhat.com>
> > > >  > CC: aaron conole <aconole@redhat.com>
> > > >  > Fixes: ac416a3ab2d2 ("redhat: dynamically allocate and reference
> > ovs user")
> > > >  > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
> > > >  > ---
> > > >
> > > >  Ugh.  I guess this is only a problem if you install ovs 2.8, and then
> > > >  upgrade before creating the database?
> > > >
> > > >  Regardless
> > > >
> > > >  Acked-by: Aaron Conole <aconole@redhat.com>
> > > >
> > > > Nope, in my case I was installing OVS 2.8.0, starting openvswitch,
> > ovn-central, and ovn-controller
> > > > services. I added information to the external_ids column of the
> > open_vswitch table so that the
> > > > ovn-controller could connect to the OVN southbound database. I ensured
> > that ovn-sbctl reported the
> > > > chassis as expected.
> > > >
> > > > Then I performed the upgrade. After upgrading the RPMs,
> > /etc/openvswitch's ownership had changed
> > > > from openvswitch:openvswitch to root:root.  Attempting to restart the
> > ovs-vswitchd service at this point
> > > > failed.
> > >
> > > Ouch.  I thought I had confirmed the ability to upgrade again... somehow
> > > I guess my testing wasn't sufficient.
> >
> > Now I'm concerned.  Should I not have applied this?  Does it need a
> > revert?
> >
> 
> No need to revert. There was just confusion over what needed to be done in
> order to trigger the issue that is fixed by this patch.

Thanks.