[ovs-dev,Debian-non-root,v3,4/4] Debian: start daemons as ovs(non-root) user
diff mbox

Message ID 1445901341-7182-4-git-send-email-azhou@nicira.com
State Deferred
Headers show

Commit Message

Andy Zhou Oct. 26, 2015, 11:15 p.m. UTC
Changes to Debian packaging scripts to create the ovs user and group.
Fix the permissions of ovs created files and directories so that
they are accessible by users belong to the ovs group.
Start daemons as the ovs user.

Signed-off-by: Andy Zhou <azhou@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

----
This patch does not include changes to the ipsec package. Ansis has
other plans for updating it.
---
 NEWS                                       |  1 +
 debian/automake.mk                         |  1 +
 debian/control                             |  1 +
 debian/openvswitch-common.postinst         | 52 ++++++++++++++++++++++++++++++
 debian/openvswitch-pki.postinst            |  5 +++
 debian/openvswitch-switch.init             |  4 +++
 debian/openvswitch-switch.logrotate        |  2 +-
 debian/openvswitch-switch.postinst         |  6 ++++
 debian/openvswitch-testcontroller.init     |  8 ++++-
 debian/openvswitch-testcontroller.postinst |  5 +++
 debian/openvswitch-vtep.init               |  9 +++++-
 11 files changed, 91 insertions(+), 3 deletions(-)
 create mode 100755 debian/openvswitch-common.postinst

Patch
diff mbox

diff --git a/NEWS b/NEWS
index 9b9dff2..b2446c1 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,7 @@  Post-v2.4.0
    - Add support for connection tracking through the new "ct" action
      and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields.  Only
      available on Linux kernels with the connection tracking module loaded.
+   - Debain package starts daemons as the 'ovs' user.
 
 
 v2.4.0 - 20 Aug 2015
diff --git a/debian/automake.mk b/debian/automake.mk
index c29a560..3092569 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -8,6 +8,7 @@  EXTRA_DIST += \
 	debian/dkms.conf.in \
 	debian/dirs \
 	debian/openvswitch-common.dirs \
+	debian/openvswitch-common.postinst \
 	debian/openvswitch-common.docs \
 	debian/openvswitch-common.install \
 	debian/openvswitch-common.manpages \
diff --git a/debian/control b/debian/control
index 3eac644..7c07cb2 100644
--- a/debian/control
+++ b/debian/control
@@ -60,6 +60,7 @@  Architecture: linux-any
 Depends: openssl,
          python,
          python (>= 2.7) | python-argparse,
+         adduser,
          ${misc:Depends},
          ${shlibs:Depends}
 Suggests: ethtool
diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst
new file mode 100755
index 0000000..2ff025f
--- /dev/null
+++ b/debian/openvswitch-common.postinst
@@ -0,0 +1,52 @@ 
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+        LOGDIR=/var/log/openvswitch
+        HOMEDIR=/var/run/openvswitch
+        # Create the ovs user and group.
+        if ! getent passwd ovs > /dev/null; then
+            echo 'Adding system-user for ovs' 1>&2
+            adduser --system --group --no-create-home --disabled-login \
+                     --quiet --home $HOMEDIR $OVS_USER
+            adduser $OVS_USER adm || true
+        fi
+
+        # Fix ownership and permissions.
+        chown -R $OVS_USER:$OVS_GROUP $LOGDIR
+        chown -R $OVS_USER:$OVS_GROUP $HOMEDIR
+        chmod -R 0775 $HOMEDIR
+        ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst
index f4705e9..b7821d4 100755
--- a/debian/openvswitch-pki.postinst
+++ b/debian/openvswitch-pki.postinst
@@ -5,6 +5,9 @@ 
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@  case "$1" in
         if test ! -e /var/lib/openvswitch/pki; then
             ovs-pki init
         fi
+
+        chown -R $OVS_USER:$OVS_GROUP /var/lib/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init
index 8e156da..a43027d 100755
--- a/debian/openvswitch-switch.init
+++ b/debian/openvswitch-switch.init
@@ -25,6 +25,9 @@ 
 #                    the Open vSwitch kernel-based switch.
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 (test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0
 
 . /usr/share/openvswitch/scripts/ovs-lib
@@ -64,6 +67,7 @@  start () {
     if test X"$FORCE_COREFILES" != X; then
 	set "$@" --force-corefiles="$FORCE_COREFILES"
     fi
+    set "$@" --run-as=$OVS_USER:$OVS_GROUP
     set "$@" $OVS_CTL_OPTS
     "$@" || exit $?
     if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate
index a7a71bd..e93c568 100644
--- a/debian/openvswitch-switch.logrotate
+++ b/debian/openvswitch-switch.logrotate
@@ -1,7 +1,7 @@ 
 /var/log/openvswitch/*.log {
     daily
     compress
-    create 640 root adm
+    create 640 ovs adm
     delaycompress
     missingok
     rotate 30
diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst
index 2464572..0879c7c 100755
--- a/debian/openvswitch-switch.postinst
+++ b/debian/openvswitch-switch.postinst
@@ -5,6 +5,9 @@ 
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,9 @@  case "$1" in
                 fi
             done
 	fi
+
+	# fix owner and permissions for /etc/openvswitch.
+	chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init
index 67b7a99..4ba45f1 100755
--- a/debian/openvswitch-testcontroller.init
+++ b/debian/openvswitch-testcontroller.init
@@ -37,6 +37,8 @@  DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here
 NAME=ovs-testcontroller         # Introduce the short server's name here
 DESC=ovs-testcontroller         # Introduce a short description here
 LOGDIR=/var/log/openvswitch	# Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
 
 PIDFILE=/var/run/openvswitch/$NAME.pid
 
@@ -109,7 +111,10 @@  start_server() {
     fi
 
     if [ ! -d /var/run/openvswitch ]; then
-        install -d -m 755 -o root -g root /var/run/openvswitch
+        install -d -m 775 -o $OVS_USER -g $OVS_GROUP /var/run/openvswitch
+    else
+        chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+        chmod 0775 -R /var/run/openvswitch
     fi
 
     SSL_OPTS=
@@ -139,6 +144,7 @@  start_server() {
         if [ -z "$DAEMONUSER" ] ; then
             start-stop-daemon --start --pidfile $PIDFILE \
                         --exec $DAEMON -- --detach --pidfile=$PIDFILE \
+                        --user $OVS_USER:$OVS_GROUP \
                         $LISTEN $DAEMON_OPTS $SSL_OPTS
             errcode=$?
         else
diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst
index 7242b4a..ee7f4c7 100755
--- a/debian/openvswitch-testcontroller.postinst
+++ b/debian/openvswitch-testcontroller.postinst
@@ -5,6 +5,9 @@ 
 
 set -e
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
 #        * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@  case "$1" in
             chmod go+r cert.pem req.pem
             umask $oldumask
         fi
+
+        chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch-testcontroller
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init
index ebf4e26..5cd4968 100644
--- a/debian/openvswitch-vtep.init
+++ b/debian/openvswitch-vtep.init
@@ -10,6 +10,8 @@ 
 # Description:       Initializes the Open vSwitch VTEP emulator
 ### END INIT INFO
 
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
 
 # Include defaults if available
 default=/etc/default/openvswitch-vtep
@@ -40,17 +42,22 @@  start () {
         cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
     fi
 
+    chown -R $OVS_USER:$OVS_GROUP /etc/openvswitch
+    chown -R $OVS_USER:$OVS_GROUP /var/run/openvswitch
+    chmod -R 0775 /var/run/openvswitch
+
     ovsdb-server --pidfile --detach --log-file --remote \
         punix:/var/run/openvswitch/db.sock \
         --remote=db:hardware_vtep,Global,managers \
         --private-key=/etc/openvswitch/ovsclient-privkey.pem \
         --certificate=/etc/openvswitch/ovsclient-cert.pem \
         --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+        --user $OVS_USER:$OVS_GROUP \
         /etc/openvswitch/conf.db /etc/openvswitch/vtep.db
 
     modprobe openvswitch
 
-    ovs-vswitchd --pidfile --detach --log-file \
+    ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
         unix:/var/run/openvswitch/db.sock
 }