[ovs-dev] Bug#681880: openvswitch-switch - Automatic changed file in /etc/

Wed, 18 Jul 2012 07:03:11 -0700 

On Wed, Jul 18, 2012 at 10:00:49AM +0200, Bastian Blank wrote:
> On Tue, Jul 17, 2012 at 09:31:44AM -0700, Ben Pfaff wrote:
> > On Tue, Jul 17, 2012 at 03:20:40PM +0200, Bastian Blank wrote:
> > > openvswitch uses a db called /etc/openvswitch/conf.db. This file is
> > > programmatic modified and not user editable. This violates ยง10.7 of the
> > > policy.
> > Can you be more specific?  10.7.1 defines a configuration file as:
> > 
> >     A file that affects the operation of a program, or provides site-
> >     or host-specific information, or otherwise customizes the behavior
> >     of a program.  Typically, configuration files are intended to be
> >     modified by the system administrator (if needed or desired) to
> >     conform to local policy or to provide more useful site-specific
> >     behavior.
> 
> This lacks the reference to FHS, which is a normative part of the
> policy:
> 
> | The /etc hierarchy contains configuration files. A "configuration file"
> | is a local file used to control the operation of a program; it must be
> | static and cannot be an executable binary.
> 
> > /etc/openvswitch/conf.db fits that description.  The first sentence is
> > obviously true.
> 
> No. It is no configuration file if it is not static.

The FHS defines "static" as:

    "Static" files include binaries, libraries, documentation files and
    other files that do not change without system administrator
    intervention.  "Variable" files are files that are not static.

The system administrator runs ovs-vsctl to change
/etc/openvswitch/conf.db.

> >                  The second is also true, since the system
> > administrator does modify the file.
> 
> How does modifying this file with an editor work? 

It's somewhat challenging, because you have to calculate a sha1sum with
the sha1sum program, and the format isn't really intended for direct
human editing.  But, as I said before (you dropped the quote), I do not
see anything in 10.7 that says that the administrator must be able to
edit a configuration file with a text editor.

> How does it survive read-only /etc?

If you have read-only /etc, then you can't modify your configuration, in
the same way you can't modify other parts of your configuration.
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev

Reply via email to