The Open vSwitch daemons allow passing --user user[:group] to allow
spawning under different user privileges. ovs-ctl now accepts --ovs-user
in the same form to pass this argument on, as well as create databases and
data directories with the appropriate privileges.
Signed-off-by: Aaron Conole <acon...@redhat.com>
---
utilities/ovs-ctl.8 | 7 +++++++
utilities/ovs-ctl.in | 6 ++++++
utilities/ovs-lib.in | 13 +++++++++++--
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
index cd7c267..985c08f 100644
--- a/utilities/ovs-ctl.8
+++ b/utilities/ovs-ctl.8
@@ -159,6 +159,13 @@ Deletes all ports that have the other_config:transient
value set to true. This
is important on certain environments where some ports are going to be recreated
after reboot, but other ports need to be persisted in the database.
.
+.IP "\fB\-\-ovs\-user=user[:group]\fR"
+Ordinarily Open vSwitch daemons are started as the user invoking the ovs-ctl
+command. Some system administrators would prefer to have the various daemons
+spawn as different users in their environments. This option allows passing the
+\fB\-\-user\fR option to the \fBovsdb\-server\fR and \fBovs\-vswitchd\fR
+daemons, allowing them to change their privilege levels.
+.
.PP
The following options are less important:
.
diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
index 79979c3..628bb4c 100755
--- a/utilities/ovs-ctl.in
+++ b/utilities/ovs-ctl.in
@@ -170,6 +170,8 @@ do_start_ovsdb () {
set "$@" --private-key=db:Open_vSwitch,SSL,private_key
set "$@" --certificate=db:Open_vSwitch,SSL,certificate
set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
+ [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
+
start_daemon "$OVSDB_SERVER_PRIORITY" "$OVSDB_SERVER_WRAPPER" "$@" \
|| return 1
@@ -239,6 +241,8 @@ do_start_forwarding () {
if test X"$SELF_CONFINEMENT" = Xno; then
set "$@" --no-self-confinement
fi
+ [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
+
start_daemon "$OVS_VSWITCHD_PRIORITY" "$OVS_VSWITCHD_WRAPPER" "$@" ||
return 1
fi
@@ -503,6 +507,7 @@ set_defaults () {
MLOCKALL=yes
SELF_CONFINEMENT=yes
MONITOR=yes
+ OVS_USER=
OVSDB_SERVER=yes
OVS_VSWITCHD=yes
OVSDB_SERVER_PRIORITY=-10
@@ -570,6 +575,7 @@ Other important options for "start", "restart" and
"force-reload-kmod":
--external-id="key=value"
add given key-value pair to Open_vSwitch external-ids
--delete-bridges delete all bridges just before starting ovs-vswitchd
+ --ovs-user="user[:group]" pass the --user flag to ovs daemons
Less important options for "start", "restart" and "force-reload-kmod":
--daemon-cwd=DIR set working dir for OVS daemons (default:
$DAEMON_CWD)
diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
index b7680bb..93085ca 100644
--- a/utilities/ovs-lib.in
+++ b/utilities/ovs-lib.in
@@ -150,8 +150,13 @@ version_geq() {
install_dir () {
DIR="$1"
+ INSTALL_USER="root"
+ INSTALL_GROUP="root"
+ [ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
+ [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
+
if test ! -d "$DIR"; then
- install -d -m 755 -o root -g root "$DIR"
+ install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
restorecon "$DIR" >/dev/null 2>&1
fi
}
@@ -372,7 +377,11 @@ move_ip_routes () {
}
ovsdb_tool () {
- ovsdb-tool -vconsole:off "$@"
+ if [ "$OVS_USER" != "" ]; then
+ runuser --user "${OVS_USER%:*}" -- ovsdb-tool -vconsole:off "$@"
+ else
+ ovsdb-tool -vconsole:off "$@"
+ fi
}
create_db () {
--
2.9.3
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
