[ovs-dev,Debian-non-root,v3,3/4] ovs-ctl: add --run-as option
diff mbox

Message ID 1445901341-7182-3-git-send-email-azhou@nicira.com
State Deferred
Headers show

Commit Message

Andy Zhou Oct. 26, 2015, 11:15 p.m. UTC
Add option to ovs-ctl script to specify whether to start the daemons as
root user or ovs user.  The default is 'run-as=root', which preserves
the script's current behavior.

Signed-off-by: Andy Zhou <azhou@nicira.com>
---
 utilities/ovs-ctl.8  |  4 ++++
 utilities/ovs-ctl.in | 28 +++++++++++++++++++++++++---
 utilities/ovs-lib.in |  9 ++++++++-
 3 files changed, 37 insertions(+), 4 deletions(-)

Patch
diff mbox

diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
index 6a9a544..2d38362 100644
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -123,6 +123,10 @@  another string is specified \fBovs\-ctl\fR uses it literally.
 The following options should be specified if the defaults are not
 suitable:
 .
+.IP "\fB\-\-run\-as=\fIuser[:group]\fR"
+Run OVS daemons as the user specified. In case 'user' is not root, OVS
+daemons will run with the least privileges necessary.
+.
 .IP "\fB\-\-system\-type=\fItype\fR"
 .IQ "\fB\-\-system\-version=\fIversion\fR"
 Sets the value to store in the \fBsystem-type\fR and
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index c9d75df..c844f7e 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -1,5 +1,5 @@ 
 #! /bin/sh
-# Copyright (C) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+# Copyright (C) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,8 +13,6 @@ 
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-OVS_USER=root         # Default user.
-OVS_GROUP=root        # Default group.
 
 case $0 in
     */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;;
@@ -101,6 +99,7 @@  set_system_ids () {
             else
                 log_failure_msg "missing uuidgen, could not generate system ID"
             fi
+            chown "$OVS_USER":"$OVS_GROUP" $id_file
             ;;
 
         '')
@@ -535,6 +534,8 @@  set_defaults () {
         SYSTEM_TYPE=unknown
         SYSTEM_VERSION=unknown
     fi
+    OVS_USER=root         # Default user.
+    OVS_GROUP=$OVS_USER   # Default group.
 }
 
 usage () {
@@ -573,6 +574,7 @@  Less important options for "start", "restart" and "force-reload-kmod":
   --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)
   --no-force-corefiles           do not force on core dumps for OVS daemons
   --no-mlockall                  do not lock all of ovs-vswitchd into memory
+  --run-as=USER                  run ovs daemons as the root user of ovs user (default: $OVS_USER:$OVS_GROUP)
   --ovsdb-server-priority=NICE   set ovsdb-server's niceness (default: $OVSDB_SERVER_PRIORITY)
   --ovs-vswitchd-priority=NICE   set ovs-vswitchd's niceness (default: $OVS_VSWITCHD_PRIORITY)
 
@@ -653,6 +655,26 @@  do
                     ;;
             esac
             ;;
+        --run-as=*)
+            value=`expr X"$arg" : 'X[^=]*=\(.*\)'`
+            case $value in
+                [a-z]*:*)
+                    OVS_USER=`expr X"$value" : 'X\(.*\):.*'`
+                    OVS_GROUP=`expr X"$value" : 'X[^:]*:\(.*\)'`
+                    if  test X"$OVS_GROUP" = X; then
+                        OVS_GROUP=$OVS_USER
+                    fi
+                    ;;
+                [a-z]*)
+                    OVS_USER=`expr X"$value" : 'X\(.*\)'`
+                    OVS_GROUP=$OVS_USER
+                    ;;
+                *)
+                    echo >&2 "$0: --run-as argument not in the form \"user[:group]\""
+                    exit 1
+                    ;;
+            esac
+            ;;
         --[a-z]*=*)
             option=`expr X"$arg" : 'X--\([^=]*\)'`
             value=`expr X"$arg" : 'X[^=]*=\(.*\)'`
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index 34e2041..2a9eff3 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -149,10 +149,15 @@  start_daemon () {
     set "$@" --log-file="$logdir/$daemon.log"
 
     # pidfile and monitoring
-    test -d "$rundir" || install -d -m 755 -o "$OVS_USER" -g "$OVS_GROUP" "$rundir"
+    test -d "$rundir" || install -d -m 775 -o "$OVS_USER" -g "$OVS_GROUP" "$rundir"
     set "$@" --pidfile="$rundir/$daemon.pid"
     set "$@" --detach --monitor
 
+    # non root user
+    if test "$OVS_USER" != "root"; then
+        set "$@" --user="$OVS_USER":"$OVS_GROUP"
+    fi
+
     # wrapper
     case $wrapper in
         valgrind)
@@ -376,4 +381,6 @@  upgrade_db () {
             create_db "$DB_FILE" "$DB_SCHEMA"
         fi
     fi
+
+    chown -R "$OVS_USER":"$OVS_GROUP" `dirname $DB_FILE`
 }