@@ -10,11 +10,15 @@ PartOf=openvswitch.service
[Service]
Type=forking
Restart=on-failure
+Environment="OVS_USER_ID=root:root"
+EnvironmentFile=-/etc/sysconfig/openvswitch-pre
EnvironmentFile=-/etc/sysconfig/openvswitch
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovsdb-server --no-monitor --system-id=random \
+ --ovs-user=${OVS_USER_ID} \
start $OPTIONS
ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
--no-monitor --system-id=random \
+ --ovs-user=${OVS_USER_ID} \
restart $OPTIONS
@@ -8,12 +8,17 @@ PartOf=openvswitch.service
[Service]
Type=forking
Restart=on-failure
+Environment="OVS_USER_ID=root:root"
+EnvironmentFile=-/etc/sysconfig/openvswitch-pre
EnvironmentFile=-/etc/sysconfig/openvswitch
+ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovs-vswitchd --no-monitor --system-id=random \
+ --ovs-user=${OVS_USER_ID} \
start $OPTIONS
ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
+ --ovs-user=${OVS_USER_ID} \
--no-monitor restart $OPTIONS
RuntimeDirectory=openvswitch
RuntimeDirectoryMode=0755
@@ -21,3 +21,6 @@
# --ovsdb-server-wrapper=valgrind
#
OPTIONS=""
+
+# You may change the user:group below to run as a separate user
+#OVS_USER_ID="openvswitch:openvswitch"
Under rpm based distributions, the only user:group that the rhel daemons run as is 'root:root'. This is fine as a default, but as part of a security procedure, users may want to run as an alternate uid/gid. This commit adds an OVS_USER_ID environment variable for systemd, which defaults to root:root, but can be overridden by changing the /etc/sysconfig/openvswitch environment file. Signed-off-by: Aaron Conole <aconole@redhat.com> --- rhel/usr_lib_systemd_system_ovs-vswitchd.service | 4 ++++ rhel/usr_lib_systemd_system_ovsdb-server.service | 5 +++++ rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template | 3 +++ 3 files changed, 12 insertions(+)