@@ -93,6 +93,10 @@ Requires: openssl hostname iproute module-init-tools
Requires(post): /usr/bin/getent
Requires(post): /usr/sbin/useradd
+%if %{with dpdk}
+Requires(post): /usr/sbin/usermod
+Requires(post): /usr/sbin/groupadd
+%endif
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -362,6 +366,16 @@ rm -rf $RPM_BUILD_ROOT
echo "OVS_USER_ID=openvswitch:openvswitch" > \
/etc/sysconfig/openvswitch-pre
+
+%if %{with_dpdk}
+ getent group hugetlbfs >/dev/null || \
+ groupadd hugetlbfs
+
+ echo "OVS_USER_ID=openvswitch:hugetlbfs" > \
+ /etc/sysconfig/openvswitch-pre
+%endif
+
+ install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch
fi
%systemd_post %{name}.service
%else
@@ -373,6 +387,17 @@ rm -rf $RPM_BUILD_ROOT
echo "OVS_USER_ID=openvswitch:openvswitch" > \
/etc/sysconfig/openvswitch-pre
+
+%if %{with_dpdk}
+ getent group hugetlbfs >/dev/null || \
+ groupadd hugetlbfs
+ usermod -a -G hugetlbfs openvswitch
+ echo "OVS_USER_ID=openvswitch:hugetlbfs" > \
+ /etc/sysconfig/openvswitch-pre
+%endif
+
+ install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch
+
/bin/systemctl daemon-reload >dev/null || :
fi
%endif
@@ -11,8 +11,10 @@ PartOf=openvswitch.service
Type=forking
Restart=on-failure
Environment="OVS_USER_ID=root:root"
+Environment="HOME=/var/run/openvswitch"
EnvironmentFile=-/etc/sysconfig/openvswitch-pre
EnvironmentFile=-/etc/sysconfig/openvswitch
+ExecStartPre="/usr/sbin/chown :hugetlbfs /dev/hugepages"
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovsdb-server --no-monitor --system-id=random \
--ovs-user=${OVS_USER_ID} \
After this commit, users may start a dpdk-enabled ovs setup as a non-root user. This is accomplished by exporting the $HOME directory, which dpdk uses to fill in it's semi-persistent RTE configuration. This change may be a bit controversial since it modifies /dev/hugepages as part of starting the ovs-vswitchd to set a hugetlbfs group ownership. This is used to enable writing to /dev/hugepages so that the dpdk_init will successfully complete. There is an alternate way of accomplishing this - namely to initialize DPDK before dropping privileges. However, this would mean that if DPDK ever grows an uninit / reinit function, non-root ovs likely could never use it. Signed-off-by: Aaron Conole <aconole@redhat.com> --- rhel/openvswitch-fedora.spec.in | 25 ++++++++++++++++++++++++ rhel/usr_lib_systemd_system_ovs-vswitchd.service | 2 ++ 2 files changed, 27 insertions(+)