diff mbox

[ovs-dev,RFC,v0,4/4] fedora: allow dpdk to also run as non-root user

Message ID 20170423142114.3657-5-aconole@redhat.com
State Superseded
Headers show

Commit Message

Aaron Conole April 23, 2017, 2:21 p.m. UTC 
After this commit, users may start a dpdk-enabled ovs setup as a
non-root user.  This is accomplished by exporting the $HOME directory,
which dpdk uses to fill in it's semi-persistent RTE configuration.

This change may be a bit controversial since it modifies /dev/hugepages
as part of starting the ovs-vswitchd to set a hugetlbfs group
ownership.  This is used to enable writing to /dev/hugepages so that the
dpdk_init will successfully complete.  There is an alternate way of
accomplishing this - namely to initialize DPDK before dropping
privileges.  However, this would mean that if DPDK ever grows an uninit
/ reinit function, non-root ovs likely could never use it.

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 rhel/openvswitch-fedora.spec.in                  | 25 ++++++++++++++++++++++++
 rhel/usr_lib_systemd_system_ovs-vswitchd.service |  2 ++
 2 files changed, 27 insertions(+)
diff mbox

Patch

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 5f5e89d..f4aa5e4 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -93,6 +93,10 @@  Requires: openssl hostname iproute module-init-tools
 
 Requires(post): /usr/bin/getent
 Requires(post): /usr/sbin/useradd
+%if %{with dpdk}
+Requires(post): /usr/sbin/usermod
+Requires(post): /usr/sbin/groupadd
+%endif
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
@@ -362,6 +366,16 @@  rm -rf $RPM_BUILD_ROOT
 
         echo "OVS_USER_ID=openvswitch:openvswitch" > \
              /etc/sysconfig/openvswitch-pre
+
+%if %{with_dpdk}
+        getent group hugetlbfs >/dev/null || \
+            groupadd hugetlbfs
+
+        echo "OVS_USER_ID=openvswitch:hugetlbfs" > \
+             /etc/sysconfig/openvswitch-pre
+%endif
+
+        install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch
     fi
     %systemd_post %{name}.service
 %else
@@ -373,6 +387,17 @@  rm -rf $RPM_BUILD_ROOT
         echo "OVS_USER_ID=openvswitch:openvswitch" > \
              /etc/sysconfig/openvswitch-pre
 
+
+%if %{with_dpdk}
+        getent group hugetlbfs >/dev/null || \
+            groupadd hugetlbfs
+        usermod -a -G hugetlbfs openvswitch
+        echo "OVS_USER_ID=openvswitch:hugetlbfs" > \
+             /etc/sysconfig/openvswitch-pre
+%endif
+
+        install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch
+
         /bin/systemctl daemon-reload >dev/null || :
     fi
 %endif
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
index 0434d20..a0c8233 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
@@ -11,8 +11,10 @@  PartOf=openvswitch.service
 Type=forking
 Restart=on-failure
 Environment="OVS_USER_ID=root:root"
+Environment="HOME=/var/run/openvswitch"
 EnvironmentFile=-/etc/sysconfig/openvswitch-pre
 EnvironmentFile=-/etc/sysconfig/openvswitch
+ExecStartPre="/usr/sbin/chown :hugetlbfs /dev/hugepages"
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
           --ovs-user=${OVS_USER_ID} \