Add configuration option for enabling or disabling linking with
libcap-ng. Since capabilities are a security feature, the libcapng
option is handled as follows:
- no option: use libcapng if it's present
--disable-libcapng: do not use libcapng
--enable-libcapng: do use libcapng and fail configuration if
it's missing
On Linux, not linking with libcapng makes all OVS daemons fail when
--user option is specified.
Signed-off-by: Andy Zhou <[email protected]>
---
INSTALL.md | 7 +++++++
configure.ac | 1 +
lib/automake.mk | 1 +
m4/openvswitch.m4 | 36 ++++++++++++++++++++++++++++++++++++
4 files changed, 45 insertions(+)
diff --git a/INSTALL.md b/INSTALL.md
index 9dac430..50ab6c7 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -43,6 +43,13 @@ you will need the following software:
libssl is installed, then Open vSwitch will automatically build
with support for it.
+ - libcap-ng, written by Steve Grubb, is optional but recommended
+ if you plan to user --user option for running Open vSwitch on
+ Linux with kernel based datapath. libcap-ng is required to run
+ OVS daemons as a non-root user with dropped root privileges. If
+ libcap-ng is installed, then Open vSwitch will automatically
+ build with support for it.
+
- Python 2.7.
On Linux, you may choose to compile the kernel module that comes with
diff --git a/configure.ac b/configure.ac
index 36387a1..39055fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -91,6 +91,7 @@ OVS_CHECK_COVERAGE
OVS_CHECK_NDEBUG
OVS_CHECK_NETLINK
OVS_CHECK_OPENSSL
+OVS_CHECK_LIBCAPNG
OVS_CHECK_LOGDIR
OVS_CHECK_PYTHON
OVS_CHECK_DOT
diff --git a/lib/automake.mk b/lib/automake.mk
index 5fdd08f..d8c00da 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -8,6 +8,7 @@
lib_LTLIBRARIES += lib/libopenvswitch.la
lib_libopenvswitch_la_LIBADD = $(SSL_LIBS)
+lib_libopenvswitch_la_LIBADD += $(CAPNG_LDADD)
if WIN32
lib_libopenvswitch_la_LIBADD += ${PTHREAD_LIBS}
diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4
index 087c7e5..a36e07d 100644
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@@ -157,6 +157,42 @@ AC_DEFUN([OVS_CHECK_NETLINK],
[Define to 1 if Netlink protocol is available.])
fi])
+dnl Checks for libcap-ng.
+AC_DEFUN([OVS_CHECK_LIBCAPNG],
+ [AC_ARG_ENABLE(
+ [libcapng],
+ [AC_HELP_STRING([--disable-libcapng], [Disable Linux capability
support])],
+ [case "${enableval}" in
+ (yes) libcapng=true ;;
+ (no) libcapng=false ;;
+ (*) AC_MSG_ERROR([bad value ${enableval} for --enable-libcapng]) ;;
+ esac],
+ [libcapng=check])
+
+ if test "$libcapng" != false; then
+ AC_CHECK_LIB(cap-ng, [capng_clear], [HAVE_LIBCAPNG=yes])
+
+ if test "$HAVE_LIBCAPNG" != yes; then
+ if test "$libcapng" == true ; then
+ AC_MSG_ERROR([libcap-ng support requested, but not found])
+ fi
+ if test "$libcapng" == check ; then
+ AC_MSG_WARN([cannot find libcap-ng.
+--user option will not be supported on Linux.
+(you may use --disable-libcapng to suppress this warning). ])
+ fi
+ fi
+ fi
+
+ AC_SUBST([HAVE_LIBCAPNG])
+ AM_CONDITIONAL([HAVE_LIBCAPNG], [test "$HAVE_LIBCAPNG" = yes])
+ if test "$HAVE_LIBCAPNG" = yes; then
+ AC_DEFINE([HAVE_LIBCAPNG], [1],
+ [Define to 1 if libcap-ng is available.])
+ CAPNG_LDADD="-lcap-ng"
+ AC_SUBST([CAPNG_LDADD])
+ fi])
+
dnl Checks for OpenSSL.
AC_DEFUN([OVS_CHECK_OPENSSL],
[AC_ARG_ENABLE(
--
1.9.1
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
