| Message ID | f7ty3jw4ldz.fsf@dhcp-25.97.bos.redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] rhel: don't drop capabilities when running as root | expand |
On Tue, 13 Feb 2018 16:42:16 -0500 Aaron Conole <aconole@redhat.com> wrote: > Currently, regardless of which user is being set as the running user, > Open vSwitch daemons on RHEL systems drop capabilities. This means > the very powerful CAP_SYS_ADMIN is dropped, even when the user is > 'root'. > > For the majority of use cases this behavior works, as the user can > enable or disable various configurations, regardless of which datapath > functions are desired. However, when using certain DPDK PMDs, the > enablement and configuration calls require CAP_SYS_ADMIN. > > Instead of retaining CAP_SYS_ADMIN in all cases, which would > practically nullify the uid/gid and privilege drop, we don't pass the > --ovs-user option to the daemons. This shunts the capability and > privilege dropping code. > > Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com> > Reported-at: > https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html > Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root > user") Signed-off-by: Aaron Conole <aconole@redhat.com> --- > NOTE: I did test this a little bit on my system, passing packets, etc. > But more eyes can't be bad. > > rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++--- > rhel/usr_lib_systemd_system_ovsdb-server.service | 6 ++++-- > 2 files changed, 8 insertions(+), 5 deletions(-) > Acked-By: Timothy Redaelli <tredaelli@redhat.com>
Aaron Conole <aconole@redhat.com> writes: > Currently, regardless of which user is being set as the running user, > Open vSwitch daemons on RHEL systems drop capabilities. This means the > very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'. > > For the majority of use cases this behavior works, as the user can > enable or disable various configurations, regardless of which datapath > functions are desired. However, when using certain DPDK PMDs, the > enablement and configuration calls require CAP_SYS_ADMIN. > > Instead of retaining CAP_SYS_ADMIN in all cases, which would practically > nullify the uid/gid and privilege drop, we don't pass the --ovs-user > option to the daemons. This shunts the capability and privilege > dropping code. > > Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com> > Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html > Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user") > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- Ping?
On Tue, Mar 27, 2018 at 9:26 AM, Aaron Conole <aconole@redhat.com> wrote: > Aaron Conole <aconole@redhat.com> writes: > >> Currently, regardless of which user is being set as the running user, >> Open vSwitch daemons on RHEL systems drop capabilities. This means the >> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'. >> >> For the majority of use cases this behavior works, as the user can >> enable or disable various configurations, regardless of which datapath >> functions are desired. However, when using certain DPDK PMDs, the >> enablement and configuration calls require CAP_SYS_ADMIN. >> >> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically >> nullify the uid/gid and privilege drop, we don't pass the --ovs-user >> option to the daemons. This shunts the capability and privilege >> dropping code. >> >> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com> >> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html >> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user") >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- > > Ping? Applied to master and branch-2.9. Please continue to CC me on rhel patches like this that have been reviewed by someone and you feel are ready to be applied. Thanks,
Russell Bryant <russell@ovn.org> writes: > On Tue, Mar 27, 2018 at 9:26 AM, Aaron Conole <aconole@redhat.com> wrote: >> Aaron Conole <aconole@redhat.com> writes: >> >>> Currently, regardless of which user is being set as the running user, >>> Open vSwitch daemons on RHEL systems drop capabilities. This means the >>> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'. >>> >>> For the majority of use cases this behavior works, as the user can >>> enable or disable various configurations, regardless of which datapath >>> functions are desired. However, when using certain DPDK PMDs, the >>> enablement and configuration calls require CAP_SYS_ADMIN. >>> >>> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically >>> nullify the uid/gid and privilege drop, we don't pass the --ovs-user >>> option to the daemons. This shunts the capability and privilege >>> dropping code. >>> >>> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com> >>> Reported-at: >>> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html >>> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user") >>> Signed-off-by: Aaron Conole <aconole@redhat.com> >>> --- >> >> Ping? > > Applied to master and branch-2.9. > > Please continue to CC me on rhel patches like this that have been > reviewed by someone and you feel are ready to be applied. Cool, will do. Thanks Russell! > Thanks,
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index c6d9aa1..889740f 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -13,17 +13,18 @@ Restart=on-failure Environment=HOME=/var/run/openvswitch EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch +EnvironmentFile=-/run/openvswitch/useropts @begin_dpdk@ -ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages +ExecStartPre=-/bin/sh -c '/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages' ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages @end_dpdk@ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ - --ovs-user=${OVS_USER_ID} \ + ${OVSUSER} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \ --no-monitor --system-id=random \ - --ovs-user=${OVS_USER_ID} \ + ${OVSUSER} \ restart $OPTIONS TimeoutSec=300 diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index 234d393..e05742d 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -11,13 +11,15 @@ Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch +ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi' +EnvironmentFile=-/run/openvswitch/useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovs-vswitchd --no-monitor --system-id=random \ - --ovs-user=${OVS_USER_ID} \ + ${OVSUSER} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \ - --ovs-user=${OVS_USER_ID} \ + ${OVSUSER} \ --no-monitor restart $OPTIONS RuntimeDirectory=openvswitch RuntimeDirectoryMode=0755
Currently, regardless of which user is being set as the running user, Open vSwitch daemons on RHEL systems drop capabilities. This means the very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'. For the majority of use cases this behavior works, as the user can enable or disable various configurations, regardless of which datapath functions are desired. However, when using certain DPDK PMDs, the enablement and configuration calls require CAP_SYS_ADMIN. Instead of retaining CAP_SYS_ADMIN in all cases, which would practically nullify the uid/gid and privilege drop, we don't pass the --ovs-user option to the daemons. This shunts the capability and privilege dropping code. Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user") Signed-off-by: Aaron Conole <aconole@redhat.com> --- NOTE: I did test this a little bit on my system, passing packets, etc. But more eyes can't be bad. rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++--- rhel/usr_lib_systemd_system_ovsdb-server.service | 6 ++++-- 2 files changed, 8 insertions(+), 5 deletions(-) -- 2.9.0