| Message ID | 20170309153506.17749-1-aconole@redhat.com |
|---|---|
| State | RFC |
| Headers | show |
Hi Aaron, On 03/09/2017 03:35 PM, Aaron Conole wrote: > The Open vSwitch run, log, and DB directories are installed as part of the > normal `make install` process. However, this means they are created with > user and group ownership that may conflict with the desired user. For > example, running `make install` as root will install those files as > root:root, whereas the runtime user desired may be openvswitch:openvswitch. > > Since these directories are automatically created as part of the ovs-ctl > command, and with the correct user:group permissions, it makes sense to > delay creation until these directories are actually required. > > Signed-off-by: Aaron Conole <aconole@redhat.com> It looks reasonable to me. Thanks! Reviewed-by: Markos Chandras <mchandras@suse.de>
Markos Chandras <mchandras@suse.de> writes: > Hi Aaron, > > On 03/09/2017 03:35 PM, Aaron Conole wrote: >> The Open vSwitch run, log, and DB directories are installed as part of the >> normal `make install` process. However, this means they are created with >> user and group ownership that may conflict with the desired user. For >> example, running `make install` as root will install those files as >> root:root, whereas the runtime user desired may be openvswitch:openvswitch. >> >> Since these directories are automatically created as part of the ovs-ctl >> command, and with the correct user:group permissions, it makes sense to >> delay creation until these directories are actually required. >> >> Signed-off-by: Aaron Conole <aconole@redhat.com> > > It looks reasonable to me. Thanks! > > Reviewed-by: Markos Chandras <mchandras@suse.de> Thanks Markos. I'm planning on submitting this as a full PATCH once I've double checked that it doesn't break any of my existing test scripts and rpm builds. -Aaron
Aaron Conole <aconole@redhat.com> writes: > The Open vSwitch run, log, and DB directories are installed as part of the > normal `make install` process. However, this means they are created with > user and group ownership that may conflict with the desired user. For > example, running `make install` as root will install those files as > root:root, whereas the runtime user desired may be openvswitch:openvswitch. > > Since these directories are automatically created as part of the ovs-ctl > command, and with the correct user:group permissions, it makes sense to > delay creation until these directories are actually required. > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- I was about to submit this with a fixup to the rhel side, but I dug into an older mailing list discussion where at least it seems like Ben wanted the make install to create these runtime directories[1], presumably to alleviate concerns with adding these mkdir type directives to each distro. I'm not sure how best to proceed with this effort, since I want to enable non-root ovs 'out of the box'. If that has to be done distro-specific (and I should simply modify the .spec file for this), then that may be acceptable for me. I think the issue encountered in [1] is due to not using ovs-ctl to start the daemons. Perhaps it will still be required from the fedora side to create these directories - I'm not sure. Thoughts? 1: https://mail.openvswitch.org/pipermail/ovs-dev/2013-July/273197.html
On Tue, Mar 21, 2017 at 02:20:30PM -0400, Aaron Conole wrote: > Aaron Conole <aconole@redhat.com> writes: > > > The Open vSwitch run, log, and DB directories are installed as part of the > > normal `make install` process. However, this means they are created with > > user and group ownership that may conflict with the desired user. For > > example, running `make install` as root will install those files as > > root:root, whereas the runtime user desired may be openvswitch:openvswitch. > > > > Since these directories are automatically created as part of the ovs-ctl > > command, and with the correct user:group permissions, it makes sense to > > delay creation until these directories are actually required. > > > > Signed-off-by: Aaron Conole <aconole@redhat.com> > > --- > > I was about to submit this with a fixup to the rhel side, but I dug into > an older mailing list discussion where at least it seems like Ben wanted > the make install to create these runtime directories[1], presumably to > alleviate concerns with adding these mkdir type directives to each > distro. > > I'm not sure how best to proceed with this effort, since I want to > enable non-root ovs 'out of the box'. If that has to be done > distro-specific (and I should simply modify the .spec file for this), > then that may be acceptable for me. I think the issue encountered in > [1] is due to not using ovs-ctl to start the daemons. Perhaps it will > still be required from the fedora side to create these directories - I'm > not sure. > > Thoughts? > > 1: https://mail.openvswitch.org/pipermail/ovs-dev/2013-July/273197.html Seems the perm changes should be part of the distro specific stuff. Don't they also have to create the users/groups?
On Wed, Mar 22, 2017 at 12:43:29PM -0400, Eric Garver wrote: > On Tue, Mar 21, 2017 at 02:20:30PM -0400, Aaron Conole wrote: > > Aaron Conole <aconole@redhat.com> writes: > > > > > The Open vSwitch run, log, and DB directories are installed as part of the > > > normal `make install` process. However, this means they are created with > > > user and group ownership that may conflict with the desired user. For > > > example, running `make install` as root will install those files as > > > root:root, whereas the runtime user desired may be openvswitch:openvswitch. > > > > > > Since these directories are automatically created as part of the ovs-ctl > > > command, and with the correct user:group permissions, it makes sense to > > > delay creation until these directories are actually required. > > > > > > Signed-off-by: Aaron Conole <aconole@redhat.com> > > > --- > > > > I was about to submit this with a fixup to the rhel side, but I dug into > > an older mailing list discussion where at least it seems like Ben wanted > > the make install to create these runtime directories[1], presumably to > > alleviate concerns with adding these mkdir type directives to each > > distro. > > > > I'm not sure how best to proceed with this effort, since I want to > > enable non-root ovs 'out of the box'. If that has to be done > > distro-specific (and I should simply modify the .spec file for this), > > then that may be acceptable for me. I think the issue encountered in > > [1] is due to not using ovs-ctl to start the daemons. Perhaps it will > > still be required from the fedora side to create these directories - I'm > > not sure. > > > > Thoughts? > > > > 1: https://mail.openvswitch.org/pipermail/ovs-dev/2013-July/273197.html > > Seems the perm changes should be part of the distro specific stuff. > Don't they also have to create the users/groups? They seem to be two separate problems. If an user is using "make install", most probably it needs to be root anyways and who knows which user he/she wants to use. On a distribution level, it doesn't matter much what make install does because RPM can fix permissions, create a standard user/groups, fix the initialization, and so on.
Flavio Leitner <fbl@sysclose.org> writes: > On Wed, Mar 22, 2017 at 12:43:29PM -0400, Eric Garver wrote: >> On Tue, Mar 21, 2017 at 02:20:30PM -0400, Aaron Conole wrote: >> > Aaron Conole <aconole@redhat.com> writes: >> > >> > > The Open vSwitch run, log, and DB directories are installed as part of the >> > > normal `make install` process. However, this means they are created with >> > > user and group ownership that may conflict with the desired user. For >> > > example, running `make install` as root will install those files as >> > > root:root, whereas the runtime user desired may be openvswitch:openvswitch. >> > > >> > > Since these directories are automatically created as part of the ovs-ctl >> > > command, and with the correct user:group permissions, it makes sense to >> > > delay creation until these directories are actually required. >> > > >> > > Signed-off-by: Aaron Conole <aconole@redhat.com> >> > > --- >> > >> > I was about to submit this with a fixup to the rhel side, but I dug into >> > an older mailing list discussion where at least it seems like Ben wanted >> > the make install to create these runtime directories[1], presumably to >> > alleviate concerns with adding these mkdir type directives to each >> > distro. >> > >> > I'm not sure how best to proceed with this effort, since I want to >> > enable non-root ovs 'out of the box'. If that has to be done >> > distro-specific (and I should simply modify the .spec file for this), >> > then that may be acceptable for me. I think the issue encountered in >> > [1] is due to not using ovs-ctl to start the daemons. Perhaps it will >> > still be required from the fedora side to create these directories - I'm >> > not sure. >> > >> > Thoughts? >> > >> > 1: https://mail.openvswitch.org/pipermail/ovs-dev/2013-July/273197.html >> >> Seems the perm changes should be part of the distro specific stuff. >> Don't they also have to create the users/groups? > > They seem to be two separate problems. If an user is using "make > install", most probably it needs to be root anyways and who knows > which user he/she wants to use. True - but that means after installing with `make install`, doing something like: useradd openvswitch && /path/to/ovs-ctl --ovs-user='openvswitch:nobody' start will encounter errors related to the installed directories. The user can go ahead and change those permissions. Maybe that is the approach that makes the most sense. > On a distribution level, it doesn't matter much what make install does > because RPM can fix permissions, create a standard user/groups, fix the > initialization, and so on. I think that's probably going to be the avenue I continue to pursue in this effort. I was trying to be as generic as possible, but probably this case needs to be fixed up on a per-distribution (and even operating system) basis. Thanks for the feedback, Flavio and Eric!
On Tue, Mar 21, 2017 at 02:20:30PM -0400, Aaron Conole wrote: > Aaron Conole <aconole@redhat.com> writes: > > > The Open vSwitch run, log, and DB directories are installed as part of the > > normal `make install` process. However, this means they are created with > > user and group ownership that may conflict with the desired user. For > > example, running `make install` as root will install those files as > > root:root, whereas the runtime user desired may be openvswitch:openvswitch. > > > > Since these directories are automatically created as part of the ovs-ctl > > command, and with the correct user:group permissions, it makes sense to > > delay creation until these directories are actually required. > > > > Signed-off-by: Aaron Conole <aconole@redhat.com> > > --- > > I was about to submit this with a fixup to the rhel side, but I dug into > an older mailing list discussion where at least it seems like Ben wanted > the make install to create these runtime directories[1], presumably to > alleviate concerns with adding these mkdir type directives to each > distro. > > I'm not sure how best to proceed with this effort, since I want to > enable non-root ovs 'out of the box'. If that has to be done > distro-specific (and I should simply modify the .spec file for this), > then that may be acceptable for me. I think the issue encountered in > [1] is due to not using ovs-ctl to start the daemons. Perhaps it will > still be required from the fedora side to create these directories - I'm > not sure. > > Thoughts? > > 1: https://mail.openvswitch.org/pipermail/ovs-dev/2013-July/273197.html I'm OK with making ovs-ctl the primary way to create the directories, if we document in Documentation/intro/install/general.rst how to use ovs-ctl. Currently we only document there how to start all the daemons by hand; that once made sense but it seems dated now.
diff --git a/lib/automake.mk b/lib/automake.mk index b266af1..e095d29 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -533,10 +533,7 @@ EXTRA_DIST += build-aux/extract-ofp-msgs INSTALL_DATA_LOCAL += lib-install-data-local lib-install-data-local: - $(MKDIR_P) $(DESTDIR)$(RUNDIR) $(MKDIR_P) $(DESTDIR)$(PKIDIR) - $(MKDIR_P) $(DESTDIR)$(LOGDIR) - $(MKDIR_P) $(DESTDIR)$(DBDIR) $(MKDIR_P) $(DESTDIR)$(sysconfdir)/openvswitch man_MANS += lib/ovs-fields.7
The Open vSwitch run, log, and DB directories are installed as part of the normal `make install` process. However, this means they are created with user and group ownership that may conflict with the desired user. For example, running `make install` as root will install those files as root:root, whereas the runtime user desired may be openvswitch:openvswitch. Since these directories are automatically created as part of the ovs-ctl command, and with the correct user:group permissions, it makes sense to delay creation until these directories are actually required. Signed-off-by: Aaron Conole <aconole@redhat.com> --- NOTE: An alternate approach where ovs-ctl would use chown/chmod to set the permissions could also work, but I haven't considered what the side effects would be. lib/automake.mk | 3 --- 1 file changed, 3 deletions(-)