From patchwork Tue Apr 16 01:24:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ansis Atteka X-Patchwork-Id: 1086007 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44jnkp6Xdtz9s4V for ; Tue, 16 Apr 2019 11:26:09 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id CEAA7C8B; Tue, 16 Apr 2019 01:26:06 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3EEF39D for ; Tue, 16 Apr 2019 01:26:06 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 81ACC5E4 for ; Tue, 16 Apr 2019 01:26:05 +0000 (UTC) X-Originating-IP: 66.170.99.2 Received: from aatteka-Precision-Tower-5810.eng.vmware.com (unknown [66.170.99.2]) (Authenticated sender: aatteka@ovn.org) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 0A350240003; Tue, 16 Apr 2019 01:26:02 +0000 (UTC) From: Ansis Atteka To: dev@openvswitch.org Date: Mon, 15 Apr 2019 18:24:41 -0700 Message-Id: <20190416012441.24625-1-aatteka@ovn.org> X-Mailer: git-send-email 2.14.1 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ansis Atteka Subject: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Otherwise, Open vSwitch will fail to start with the following error "libcap-ng is not configured at compile time" when it attempts to downgrade to Open vSwitch user. Also, if packages were built in a way where processes are supposed to be running only as root, then there is no point in creating "openvswitch" user in the first place. Signed-off-by: Ansis Atteka --- poc/playbook-fedora-builder.yml | 6 +++--- rhel/openvswitch-fedora.spec.in | 8 ++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/poc/playbook-fedora-builder.yml b/poc/playbook-fedora-builder.yml index 70f0b6ff2..b955714fc 100644 --- a/poc/playbook-fedora-builder.yml +++ b/poc/playbook-fedora-builder.yml @@ -99,17 +99,17 @@ - openvswitch-dkms.spec - name: Build Open vSwitch user space rpms - command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec + command: rpmbuild -bb --without check --without libcapng rhel/openvswitch-fedora.spec args: chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}" - name: Build Open vSwitch kmod rpm - command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec + command: rpmbuild -bb --without check --without libcapng rhel/openvswitch-fedora.spec args: chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}" - name: Build Open vSwitch dkms rpm - command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec + command: rpmbuild -bb --without check --without libcapng rhel/openvswitch-dkms.spec args: chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}" diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index c1cd3f4c6..ce728b4f0 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT %endif %pre +%if %{with libcapng} getent group openvswitch >/dev/null || groupadd -r openvswitch getent passwd openvswitch >/dev/null || \ useradd -r -g openvswitch -d / -s /sbin/nologin \ @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \ getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs usermod -a -G hugetlbfs openvswitch %endif +%endif exit 0 %post +%if %{with libcapng} if [ $1 -eq 1 ]; then sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' %{_sysconfdir}/logrotate.d/openvswitch @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then chown -R openvswitch:openvswitch /etc/openvswitch chown -R openvswitch:openvswitch /var/log/openvswitch fi +%endif %if 0%{?systemd_post:1} %systemd_post %{name}.service @@ -445,7 +449,11 @@ fi %endif %files +%if %{with libcapng} %defattr(-,openvswitch,openvswitch) +%else +%defattr(-,root,root) +%endif %dir %{_sysconfdir}/openvswitch %{_sysconfdir}/openvswitch/default.conf %config %ghost %{_sysconfdir}/openvswitch/conf.db