From patchwork Tue Aug 13 16:28:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1146493 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 467J9G1sRrz9sDQ for ; Wed, 14 Aug 2019 02:30:26 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 457B4DB4; Tue, 13 Aug 2019 16:28:41 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4CDE7CC0 for ; Tue, 13 Aug 2019 16:28:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9A0A78A3 for ; Tue, 13 Aug 2019 16:28:39 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2CD7C3C917; Tue, 13 Aug 2019 16:28:39 +0000 (UTC) Received: from nusiddiq.redhat (ovpn-116-27.sin2.redhat.com [10.67.116.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id BA1493469F; Tue, 13 Aug 2019 16:28:36 +0000 (UTC) From: nusiddiq@redhat.com To: dev@openvswitch.org Date: Tue, 13 Aug 2019 21:58:22 +0530 Message-Id: <20190813162822.16517-1-nusiddiq@redhat.com> In-Reply-To: <20190813162629.15983-1-nusiddiq@redhat.com> References: <20190813162629.15983-1-nusiddiq@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 13 Aug 2019 16:28:39 +0000 (UTC) X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: =?utf-8?q?Jaime_Caama=C3=B1o_Ruiz?= Subject: [ovs-dev] [PATCH ovn 4/4] rhel: Run ovn services with the 'openvswitch' user X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Numan Siddique This patch could have created a new user 'ovn' for ovn services instead of using 'openvswitch' user. But this would require some amount of work and proper testing since the new user 'ovn' should be part of 'openvswitch' group (to access /var/run/openvswitch/db.sock.). If ovs is compiled with dpdk, then it may get tricky (as ovs-vswitchd is run as user - openvswitch:hugetlbfs). We can support a new user for 'ovn' services in the future. Recently the commit [1] in ovs repo added support to run ovn services with the 'openvswitch' user, but this commit was not applied to ovn repo as we had already created a new OVN repo. During the OVS/OVN formal split, we missed out on applying the patch [1]. This patch takes some code from [1]. [1] - 94e1e8be3187 ("rhel: run ovn with the same user as ovs"). CC: Jaime CaamaƱo Ruiz Signed-off-by: Numan Siddique Signed-off-by: Numan Siddique --- rhel/automake.mk | 3 ++- rhel/ovn-fedora.spec.in | 13 +++++++++++++ ...r_lib_systemd_system_ovn-controller-vtep.service | 2 ++ rhel/usr_lib_systemd_system_ovn-controller.service | 2 ++ rhel/usr_lib_systemd_system_ovn-northd.service | 5 ++++- ...usr_share_ovn_scripts_systemd_sysconfig.template | 13 +++++++++++++ utilities/ovn-ctl | 12 ++++++++++++ 7 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 rhel/usr_share_ovn_scripts_systemd_sysconfig.template diff --git a/rhel/automake.mk b/rhel/automake.mk index 39e216b01..a46e6579b 100644 --- a/rhel/automake.mk +++ b/rhel/automake.mk @@ -15,7 +15,8 @@ EXTRA_DIST += \ rhel/usr_lib_systemd_system_ovn-controller-vtep.service \ rhel/usr_lib_systemd_system_ovn-northd.service \ rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \ - rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml + rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \ + rhel/usr_share_ovn_scripts_systemd_sysconfig.template update_rhel_spec = \ $(AM_V_GEN)($(ro_shell) && sed -e 's,[@]VERSION[@],$(VERSION),g') \ diff --git a/rhel/ovn-fedora.spec.in b/rhel/ovn-fedora.spec.in index cbca87511..14035de9a 100644 --- a/rhel/ovn-fedora.spec.in +++ b/rhel/ovn-fedora.spec.in @@ -186,6 +186,10 @@ make %{?_smp_mflags} rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT +install -p -D -m 0644 \ + rhel/usr_share_ovn_scripts_systemd_sysconfig.template \ + $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ovn + for service in ovn-controller ovn-controller-vtep ovn-northd; do install -p -D -m 0644 \ rhel/usr_lib_systemd_system_${service}.service \ @@ -319,6 +323,14 @@ fi fi %endif +%post +%if %{with libcapng} +if [ $1 -eq 1 ]; then + sed -i 's:^#OVN_USER_ID=:OVN_USER_ID=:' %{_sysconfdir}/sysconfig/ovn + sed -i 's:\(.*su\).*:\1 ovn ovn:' %{_sysconfdir}/logrotate.d/ovn +fi +%endif + %post central %if 0%{?systemd_post:1} %systemd_post ovn-northd.service @@ -413,6 +425,7 @@ if [ $1 -eq 1 ]; then fi %files +%config(noreplace) %{_sysconfdir}/sysconfig/ovn %{_bindir}/ovn-nbctl %{_bindir}/ovn-sbctl %{_bindir}/ovn-trace diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service index 832849488..09ad0612c 100644 --- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service +++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service @@ -38,10 +38,12 @@ Restart=on-failure Environment=OVS_RUNDIR=%t/openvswitch Environment=OVN_RUNDIR=%t/ovn Environment=OVN_DB=unix:%t/ovn/ovnsb_db.sock +EnvironmentFile=-/etc/sysconfig/ovn Environment=VTEP_DB=unix:%t/openvswitch/db.sock EnvironmentFile=-/etc/sysconfig/ovn-controller-vtep ExecStart=/usr/bin/ovn-controller-vtep -vconsole:emer -vsyslog:err -vfile:info \ --log-file=/var/log/ovn/ovn-controller-vtep.log \ + --ovn-user=${OVN_USER_ID} \ --no-chdir --pidfile=${OVN_RUNDIR}/ovn-controller-vtep.pid \ --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB} diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service index 6c8f33a27..15d0ac853 100644 --- a/rhel/usr_lib_systemd_system_ovn-controller.service +++ b/rhel/usr_lib_systemd_system_ovn-controller.service @@ -24,8 +24,10 @@ Type=forking PIDFile=/var/run/ovn/ovn-controller.pid Restart=on-failure Environment=OVN_RUNDIR=%t/ovn OVS_RUNDIR=%t/openvswitch +EnvironmentFile=-/etc/sysconfig/ovn EnvironmentFile=-/etc/sysconfig/ovn-controller ExecStart=/usr/share/ovn/scripts/ovn-ctl --no-monitor \ + --ovn-user=${OVN_USER_ID} \ start_controller $OVN_CONTROLLER_OPTS ExecStop=/usr/share/ovn/scripts/ovn-ctl stop_controller diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service index 82c23cee4..d281f861c 100644 --- a/rhel/usr_lib_systemd_system_ovn-northd.service +++ b/rhel/usr_lib_systemd_system_ovn-northd.service @@ -21,8 +21,11 @@ After=syslog.target Type=oneshot RemainAfterExit=yes Environment=OVN_RUNDIR=%t/ovn OVN_DBDIR=/var/lib/ovn +EnvironmentFile=-/etc/sysconfig/ovn EnvironmentFile=-/etc/sysconfig/ovn-northd -ExecStart=/usr/share/ovn/scripts/ovn-ctl start_northd $OVN_NORTHD_OPTS +ExecStartPre=-/usr/bin/chown -R ${OVN_USER_ID} ${OVN_DBDIR} +ExecStart=/usr/share/ovn/scripts/ovn-ctl \ + --ovn-user=${OVN_USER_ID} start_northd $OVN_NORTHD_OPTS ExecStop=/usr/share/ovn/scripts/ovn-ctl stop_northd [Install] diff --git a/rhel/usr_share_ovn_scripts_systemd_sysconfig.template b/rhel/usr_share_ovn_scripts_systemd_sysconfig.template new file mode 100644 index 000000000..4543d1bc9 --- /dev/null +++ b/rhel/usr_share_ovn_scripts_systemd_sysconfig.template @@ -0,0 +1,13 @@ +### Configuration options for OVN +# +# Set "nice" priority at which to run ovn-northd: +# --ovn-northd-priority=-10 +# +# Set "nice" priority at which to run ovn-controller: +# --ovn-controller-priority=-10 +# +# +OPTIONS="" + +# Uncomment and set the OVN User/Group value +#OVN_USER_ID="openvswitch:openvswitch" diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl index 39e03b189..f4ed8f5a8 100755 --- a/utilities/ovn-ctl +++ b/utilities/ovn-ctl @@ -183,6 +183,18 @@ $cluster_remote_port upgrade_db "$file" "$schema" fi + # Set the owner of the ovn_dbdir (with -R option) to OVN_USER if set. + # This is required because the ovndbs are created with root permission + # if not present when create_cluster/upgrade_db is called. + INSTALL_USER="root" + INSTALL_GROUP="root" + [ "$OVN_USER" != "" ] && INSTALL_USER="${OVN_USER%:*}" + [ "${OVN_USER##*:}" != "" ] && INSTALL_GROUP="${OVN_USER##*:}" + + chown -R $INSTALL_USER:$INSTALL_GROUP $ovn_dbdir + chown -R $INSTALL_USER:$INSTALL_GROUP $OVN_RUNDIR + chown -R $INSTALL_USER:$INSTALL_GROUP $ovn_logdir + set ovsdb-server set "$@" $log --log-file=$logfile set "$@" --remote=punix:$sock --pidfile=$db_pid_file