From patchwork Fri Aug 4 17:00:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 797922 X-Patchwork-Delegate: rbryant@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xPCvl5zgmz9sxR for ; Sat, 5 Aug 2017 03:04:35 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id CF206B1F; Fri, 4 Aug 2017 17:01:11 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 88607B16 for ; Fri, 4 Aug 2017 17:01:09 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BDCDFA0 for ; Fri, 4 Aug 2017 17:01:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9A753883AB; Fri, 4 Aug 2017 17:01:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9A753883AB Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=aconole@redhat.com Received: from dhcp-25-97.bos.redhat.com (unknown [10.18.25.172]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9045268D39; Fri, 4 Aug 2017 17:01:06 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Fri, 4 Aug 2017 13:00:57 -0400 Message-Id: <20170804170057.23047-6-aconole@redhat.com> In-Reply-To: <20170804170057.23047-1-aconole@redhat.com> References: <20170804170057.23047-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 04 Aug 2017 17:01:08 +0000 (UTC) X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner , Sergio Gonzalez Monroy , Ansis Atteka Subject: [ovs-dev] [PATCH v4 5/5] redhat: allow dpdk to also run as non-root user X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org After this commit, users may start a dpdk-enabled ovs setup as a non-root user. This is accomplished by exporting the $HOME directory, which dpdk uses to fill in it's semi-persistent RTE configuration. This change may be a bit controversial since it modifies /dev/hugepages as part of starting the ovs-vswitchd to set a hugetlbfs group ownership. This is used to enable writing to /dev/hugepages so that the dpdk_init will successfully complete. There is an alternate way of accomplishing this - namely to initialize DPDK before dropping privileges. However, this would mean that if DPDK ever grows an uninit / reinit function, non-root ovs likely could never use it. This does not change OvS+DPDK's SELinux requirements. It still must be disabled. Signed-off-by: Aaron Conole --- Documentation/intro/install/dpdk.rst | 7 +++++++ NEWS | 1 + rhel/README.RHEL.rst | 11 +++++++++++ rhel/openvswitch-fedora.spec.in | 13 +++++++++++++ rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 5 +++++ 5 files changed, 37 insertions(+) diff --git a/Documentation/intro/install/dpdk.rst b/Documentation/intro/install/dpdk.rst index b2b91d4..4b0828c 100644 --- a/Documentation/intro/install/dpdk.rst +++ b/Documentation/intro/install/dpdk.rst @@ -134,6 +134,13 @@ has to be configured with DPDK support (``--with-dpdk``). Additional information can be found in :doc:`general`. +.. note:: + If you are running using the Fedora or Red Hat package, the Open vSwitch + daemon will run as a non-root user. This implies that you must have a + working IOMMU. Visit the `RHEL README`__ for additional information. + +__ https://github.com/openvswitch/ovs/blob/master/rhel/README.RHEL.rst + Setup ----- diff --git a/NEWS b/NEWS index a89e718..a7bc1c3 100644 --- a/NEWS +++ b/NEWS @@ -70,6 +70,7 @@ Post-v2.7.0 First supported use case is encap/decap for Ethernet. - Fedora Packaging: * OVN services are no longer restarted automatically after upgrade. + * ovs-vswitchd and ovsdb-server run as non-root users by default. - Add --cleanup option to command 'ovs-appctl exit' (see ovs-vswitchd(8)). - L3 tunneling: * Use new tunnel port option "packet_type" to configure L2 vs. L3. diff --git a/rhel/README.RHEL.rst b/rhel/README.RHEL.rst index 6affdba..f3d2942 100644 --- a/rhel/README.RHEL.rst +++ b/rhel/README.RHEL.rst @@ -337,6 +337,17 @@ running. All other commands where executed when Open vSwitch was successfully running. +Non-root User Support +----------------------- +Fedora and RHEL support running the Open vSwitch daemons as a non-root user. +By default, a fresh installation will create an *openvswitch* user, along +with any additional support groups needed (such as *hugetlbfs* for DPDK +support). + +This is controlled by modifying the ``OVS_USER_ID`` option. Setting this +to 'root:root', or commenting the variable out will revert this behavior. + + Reporting Bugs -------------- diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 1061824..2eccada 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -95,6 +95,10 @@ Requires: openssl hostname iproute module-init-tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/useradd Requires(post): /usr/bin/sed +%if %{with dpdk} +Requires(post): /usr/sbin/usermod +Requires(post): /usr/sbin/groupadd +%endif Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -379,6 +383,15 @@ if [ $1 -eq 1 ]; then sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch +%if %{with dpdk} + getent group hugetlbfs >/dev/null || \ + groupadd hugetlbfs + usermod -a -G hugetlbfs openvswitch + sed -i \ + 's@OVS_USER_ID="openvswitch:openvswitch"@OVS_USER_ID="openvswitch:hugetlbfs"@'\ + /etc/sysconfig/openvswitch +%endif + # In the case of upgrade, this is not needed. chown -R openvswitch:openvswitch /etc/openvswitch fi diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index 9aff70b..bf0f058 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -10,8 +10,13 @@ PartOf=openvswitch.service [Service] Type=forking Restart=on-failure +Environment=HOME=/var/run/openvswitch EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch +@begin_dpdk@ +ExecStartPre=/usr/bin/chown :hugetlbfs /dev/hugepages +ExecStartPre=/usr/bin/chmod 0775 /dev/hugepages +@end_dpdk@ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ --ovs-user=${OVS_USER_ID} \