[ovs-dev] rhel: Add optional BuildRequires to libcap-ng
diff mbox

Message ID 1443738669-13577-1-git-send-email-fbl@redhat.com
State Accepted
Headers show

Commit Message

Flavio Leitner Oct. 1, 2015, 10:31 p.m. UTC
Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon)
added optional usage of the libcap-ng library.  It's packaged in Fedora,
so go ahead and added it by default to the Fedora spec file.

Our default systemd unit files don't make use of the --user option that
requires this library, but conceivably someone may want to customize
them and use this option.

For those that don't want to use --user option, the Fedora package
offers an option (--without libcapng) to build the RPMs without it.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
---
 rhel/openvswitch-fedora.spec.in | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

Comments

Andy Zhou Oct. 1, 2015, 10:47 p.m. UTC | #1
> Our default systemd unit files don't make use of the --user option that
> requires this library, but conceivably someone may want to customize
> them and use this option.

Any down side if we change the unit files to make use of --user option
by default, like how Apache runs?
Russell Bryant Oct. 2, 2015, 1:03 a.m. UTC | #2
On 10/01/2015 06:31 PM, Flavio Leitner wrote:
> Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon)
> added optional usage of the libcap-ng library.  It's packaged in Fedora,
> so go ahead and added it by default to the Fedora spec file.
> 
> Our default systemd unit files don't make use of the --user option that
> requires this library, but conceivably someone may want to customize
> them and use this option.
> 
> For those that don't want to use --user option, the Fedora package
> offers an option (--without libcapng) to build the RPMs without it.
> 
> Signed-off-by: Flavio Leitner <fbl@redhat.com>

This patch looks good.  Thanks for helping to flesh it out!

Signed-off-by: Russell Bryant <rbryant@redhat.com>
Russell Bryant Oct. 2, 2015, 1:06 a.m. UTC | #3
On 10/01/2015 06:47 PM, Andy Zhou wrote:
>> Our default systemd unit files don't make use of the --user option that
>> requires this library, but conceivably someone may want to customize
>> them and use this option.
> 
> Any down side if we change the unit files to make use of --user option
> by default, like how Apache runs?
> 

I'm not sure ... probably not?  I'd just want to test it out first.

Also note that this version of the patch makes building with libcap-ng
optional, so we can't simply just add it to the system unit.  It'll need
to be optional there, too.
Andy Zhou Oct. 2, 2015, 1:26 a.m. UTC | #4
On Thu, Oct 1, 2015 at 6:06 PM, Russell Bryant <rbryant@redhat.com> wrote:
> On 10/01/2015 06:47 PM, Andy Zhou wrote:
>>> Our default systemd unit files don't make use of the --user option that
>>> requires this library, but conceivably someone may want to customize
>>> them and use this option.
>>
>> Any down side if we change the unit files to make use of --user option
>> by default, like how Apache runs?
>>
>
> I'm not sure ... probably not?  I'd just want to test it out first.
>
> Also note that this version of the patch makes building with libcap-ng
> optional, so we can't simply just add it to the system unit.  It'll need
> to be optional there, too.
>
O.K. We can start with 2 packages and re-evaluate in the future.
Flavio Leitner Oct. 2, 2015, 1:06 p.m. UTC | #5
On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote:
> > Our default systemd unit files don't make use of the --user option that
> > requires this library, but conceivably someone may want to customize
> > them and use this option.
> 
> Any down side if we change the unit files to make use of --user option
> by default, like how Apache runs?

Does OVS re-open any resources in run-time?
ovs-appctl vlog/reopen for instance might break because of lack of
permissions.

SELinux might not like some operations being done with a different user.

fbl
Ben Pfaff Oct. 2, 2015, 2:27 p.m. UTC | #6
On Thu, Oct 01, 2015 at 09:03:47PM -0400, Russell Bryant wrote:
> On 10/01/2015 06:31 PM, Flavio Leitner wrote:
> > Commit e91b927d8 (lib/daemon: support --user option for all OVS daemon)
> > added optional usage of the libcap-ng library.  It's packaged in Fedora,
> > so go ahead and added it by default to the Fedora spec file.
> > 
> > Our default systemd unit files don't make use of the --user option that
> > requires this library, but conceivably someone may want to customize
> > them and use this option.
> > 
> > For those that don't want to use --user option, the Fedora package
> > offers an option (--without libcapng) to build the RPMs without it.
> > 
> > Signed-off-by: Flavio Leitner <fbl@redhat.com>

Applied to master, thanks!

> This patch looks good.  Thanks for helping to flesh it out!
> 
> Signed-off-by: Russell Bryant <rbryant@redhat.com>

I converted that to an Acked-by.
Andy Zhou Oct. 2, 2015, 7:52 p.m. UTC | #7
On Fri, Oct 2, 2015 at 6:06 AM, Flavio Leitner <fbl@redhat.com> wrote:
> On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote:
>> > Our default systemd unit files don't make use of the --user option that
>> > requires this library, but conceivably someone may want to customize
>> > them and use this option.
>>
>> Any down side if we change the unit files to make use of --user option
>> by default, like how Apache runs?
>
> Does OVS re-open any resources in run-time?
> ovs-appctl vlog/reopen for instance might break because of lack of
> permissions.
Since daemon is doing the reopen, I'd think it should be O.K.
>
> SELinux might not like some operations being done with a different user.
>
I don't know much about SELinux. Just noticed that OVS package won't
install on a RHEL 7
where SELinux is turned on by default. It would be good for OVS to
co-exist with SELinux.
Any input or guidance will be greatly appreciated.

> fbl
Ansis Atteka Oct. 5, 2015, 1:23 a.m. UTC | #8
On Fri, Oct 2, 2015 at 12:52 PM, Andy Zhou <azhou@nicira.com> wrote:
> On Fri, Oct 2, 2015 at 6:06 AM, Flavio Leitner <fbl@redhat.com> wrote:
>> On Thu, Oct 01, 2015 at 03:47:12PM -0700, Andy Zhou wrote:
>>> > Our default systemd unit files don't make use of the --user option that
>>> > requires this library, but conceivably someone may want to customize
>>> > them and use this option.
>>>
>>> Any down side if we change the unit files to make use of --user option
>>> by default, like how Apache runs?
>>
>> Does OVS re-open any resources in run-time?
>> ovs-appctl vlog/reopen for instance might break because of lack of
>> permissions.
> Since daemon is doing the reopen, I'd think it should be O.K.
>>
>> SELinux might not like some operations being done with a different user.
>>
> I don't know much about SELinux. Just noticed that OVS package won't
> install on a RHEL 7
> where SELinux is turned on by default. It would be good for OVS to
> co-exist with SELinux.
> Any input or guidance will be greatly appreciated.

I just sent out a patch that fixes SElinux "installation" issue on
RHEL and CentOS:
http://openvswitch.org/pipermail/dev/2015-October/060892.html

However, I would not be surprised that that there is some more SElinux
tuning required.

>
>> fbl
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

Patch
diff mbox

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 695f1d7..066086c 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -13,6 +13,10 @@ 
 
 #%define kernel 2.6.40.4-5.fc15.x86_64
 
+# If libcap-ng isn't available and there is no need for running OVS
+# as regular user, specify the '--without libcapng'
+%bcond_without libcapng
+
 # Enable PIE, bz#955181
 %global _hardened_build 1
 
@@ -42,6 +46,9 @@  BuildRequires: desktop-file-utils
 BuildRequires: groff graphviz
 # make check dependencies
 BuildRequires: procps-ng
+%if %{with libcapng}
+BuildRequires: libcap-ng libcap-ng-devel
+%endif
 
 Requires: openssl iproute module-init-tools
 #Upstream kernel commit 4f647e0a3c37b8d5086214128614a136064110c3
@@ -104,7 +111,15 @@  overlays and security groups.
 %setup -q
 
 %build
-%configure --enable-ssl --with-pkidir=%{_sharedstatedir}/openvswitch/pki
+%configure \
+%if %{with libcapng}
+	--enable-libcapng \
+%else
+	--disable-libcapng \
+%endif
+	--enable-ssl \
+	--with-pkidir=%{_sharedstatedir}/openvswitch/pki
+
 make %{?_smp_mflags}
 
 %install