[ovs-dev,Debian-non-root,3/4] ovs-ctl: add --no-run-as-root option
diff mbox

Message ID 1444095524-11357-3-git-send-email-azhou@nicira.com
State Superseded
Headers show

Commit Message

Andy Zhou Oct. 6, 2015, 1:38 a.m. UTC
Add option to ovs-ctl script to specify whether to start the daemons as
root user or ovs user.  The default is 'run-as-root', which preserve
the scripts' current behavior.

Signed-off-by: Andy Zhou <azhou@nicira.com>
---
 utilities/ovs-ctl.in | 12 ++++++++++--
 utilities/ovs-lib.in |  7 +++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

Comments

Ansis Atteka Oct. 7, 2015, 1:22 a.m. UTC | #1
On 5 October 2015 at 18:38, Andy Zhou <azhou@nicira.com> wrote:

> Add option to ovs-ctl script to specify whether to start the daemons as
> root user or ovs user.  The default is 'run-as-root', which preserve
>
s/preserve/preserves

> the scripts' current behavior.
>
s/script/script's

>
> Signed-off-by: Andy Zhou <azhou@nicira.com>
> ---
>  utilities/ovs-ctl.in | 12 ++++++++++--
>  utilities/ovs-lib.in |  7 +++++++
>  2 files changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
> index c9d75df..1256324 100755
> --- a/utilities/ovs-ctl.in
> +++ b/utilities/ovs-ctl.in
> @@ -13,8 +13,8 @@
>  # See the License for the specific language governing permissions and
>  # limitations under the License.
>
> -OVS_USER=root         # Default user.
> -OVS_GROUP=root        # Default group.
> +OVS_USER=ovs         # Default user.
> +OVS_GROUP=ovs        # Default group.
>
>  case $0 in
>      */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;;
> @@ -505,6 +505,7 @@ set_defaults () {
>
>      DAEMON_CWD=/
>      FORCE_COREFILES=yes
> +    RUN_AS_ROOT=yes
>      MLOCKALL=yes
>      OVSDB_SERVER_PRIORITY=-10
>      OVS_VSWITCHD_PRIORITY=-10
> @@ -573,6 +574,7 @@ Less important options for "start", "restart" and
> "force-reload-kmod":
>    --daemon-cwd=DIR               set working dir for OVS daemons
> (default: $DAEMON_CWD)
>    --no-force-corefiles           do not force on core dumps for OVS
> daemons
>    --no-mlockall                  do not lock all of ovs-vswitchd into
> memory
> +  --no-run-as-root               run ovs daemons as the ovs user
>
How about run --run-as-ovs-user? Is there a reason you want negation in
front of its name?

In description I would use OVS in capital case (as three lines higher)

   --ovsdb-server-priority=NICE   set ovsdb-server's niceness (default:
> $OVSDB_SERVER_PRIORITY)
>    --ovs-vswitchd-priority=NICE   set ovs-vswitchd's niceness (default:
> $OVS_VSWITCHD_PRIORITY)
>
> @@ -685,6 +687,12 @@ do
>              ;;
>      esac
>  done
> +
> +if test X"$RUN_AS_ROOT" = Xyes; then
> +     OVS_USER=root
> +     OVS_GROUP=root
> +fi
>


> +
>  case $command in
>      start)
>          start_ovsdb || exit 1
> diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
> index da52284..fcb9555 100644
> --- a/utilities/ovs-lib.in
> +++ b/utilities/ovs-lib.in
> @@ -153,6 +153,11 @@ start_daemon () {
>      set "$@" --pidfile="$rundir/$daemon.pid"
>      set "$@" --detach --monitor
>
> +    # non root user
> +    if test X"$RUN_AS_ROOT" != Xyes; then
> +        set "$@" --user="$OVS_USER":"$OVS_GROUP"
> +    fi
> +

     # wrapper
>      case $wrapper in
>          valgrind)
> @@ -375,5 +380,7 @@ upgrade_db () {
>              rm -f "$DB_FILE"
>              create_db "$DB_FILE" "$DB_SCHEMA"
>          fi
> +
> +        chown "$OVS_USER":"$OVS_GROUP" $DB_FILE
>

Please don't push this yet since I suspect we would need to change SElinux
Open vSwitch profile to get chown working properly on RHEL and Fedora from
ovs-ctl script. Let me investigate this first.



     fi
>  }
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>

Patch
diff mbox

diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index c9d75df..1256324 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -13,8 +13,8 @@ 
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-OVS_USER=root         # Default user.
-OVS_GROUP=root        # Default group.
+OVS_USER=ovs         # Default user.
+OVS_GROUP=ovs        # Default group.
 
 case $0 in
     */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;;
@@ -505,6 +505,7 @@  set_defaults () {
 
     DAEMON_CWD=/
     FORCE_COREFILES=yes
+    RUN_AS_ROOT=yes
     MLOCKALL=yes
     OVSDB_SERVER_PRIORITY=-10
     OVS_VSWITCHD_PRIORITY=-10
@@ -573,6 +574,7 @@  Less important options for "start", "restart" and "force-reload-kmod":
   --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)
   --no-force-corefiles           do not force on core dumps for OVS daemons
   --no-mlockall                  do not lock all of ovs-vswitchd into memory
+  --no-run-as-root               run ovs daemons as the ovs user
   --ovsdb-server-priority=NICE   set ovsdb-server's niceness (default: $OVSDB_SERVER_PRIORITY)
   --ovs-vswitchd-priority=NICE   set ovs-vswitchd's niceness (default: $OVS_VSWITCHD_PRIORITY)
 
@@ -685,6 +687,12 @@  do
             ;;
     esac
 done
+
+if test X"$RUN_AS_ROOT" = Xyes; then
+     OVS_USER=root
+     OVS_GROUP=root
+fi
+
 case $command in
     start)
         start_ovsdb || exit 1
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index da52284..fcb9555 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -153,6 +153,11 @@  start_daemon () {
     set "$@" --pidfile="$rundir/$daemon.pid"
     set "$@" --detach --monitor
 
+    # non root user
+    if test X"$RUN_AS_ROOT" != Xyes; then
+        set "$@" --user="$OVS_USER":"$OVS_GROUP"
+    fi
+
     # wrapper
     case $wrapper in
         valgrind)
@@ -375,5 +380,7 @@  upgrade_db () {
             rm -f "$DB_FILE"
             create_db "$DB_FILE" "$DB_SCHEMA"
         fi
+
+        chown "$OVS_USER":"$OVS_GROUP" $DB_FILE
     fi
 }