The Open vSwitch daemons allow passing --user user[:group] to allow spawning under different user privileges. ovs-ctl now accepts --ovs-user in the same form to pass this argument on, as well as create databases and data directories with the appropriate privileges.
Signed-off-by: Aaron Conole <acon...@redhat.com> --- utilities/ovs-ctl.8 | 7 +++++++ utilities/ovs-ctl.in | 6 ++++++ utilities/ovs-lib.in | 13 +++++++++++-- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8 index cd7c267..985c08f 100644 --- a/utilities/ovs-ctl.8 +++ b/utilities/ovs-ctl.8 @@ -159,6 +159,13 @@ Deletes all ports that have the other_config:transient value set to true. This is important on certain environments where some ports are going to be recreated after reboot, but other ports need to be persisted in the database. . +.IP "\fB\-\-ovs\-user=user[:group]\fR" +Ordinarily Open vSwitch daemons are started as the user invoking the ovs-ctl +command. Some system administrators would prefer to have the various daemons +spawn as different users in their environments. This option allows passing the +\fB\-\-user\fR option to the \fBovsdb\-server\fR and \fBovs\-vswitchd\fR +daemons, allowing them to change their privilege levels. +. .PP The following options are less important: . diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index 79979c3..628bb4c 100755 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -170,6 +170,8 @@ do_start_ovsdb () { set "$@" --private-key=db:Open_vSwitch,SSL,private_key set "$@" --certificate=db:Open_vSwitch,SSL,certificate set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert + [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER" + start_daemon "$OVSDB_SERVER_PRIORITY" "$OVSDB_SERVER_WRAPPER" "$@" \ || return 1 @@ -239,6 +241,8 @@ do_start_forwarding () { if test X"$SELF_CONFINEMENT" = Xno; then set "$@" --no-self-confinement fi + [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER" + start_daemon "$OVS_VSWITCHD_PRIORITY" "$OVS_VSWITCHD_WRAPPER" "$@" || return 1 fi @@ -503,6 +507,7 @@ set_defaults () { MLOCKALL=yes SELF_CONFINEMENT=yes MONITOR=yes + OVS_USER= OVSDB_SERVER=yes OVS_VSWITCHD=yes OVSDB_SERVER_PRIORITY=-10 @@ -570,6 +575,7 @@ Other important options for "start", "restart" and "force-reload-kmod": --external-id="key=value" add given key-value pair to Open_vSwitch external-ids --delete-bridges delete all bridges just before starting ovs-vswitchd + --ovs-user="user[:group]" pass the --user flag to ovs daemons Less important options for "start", "restart" and "force-reload-kmod": --daemon-cwd=DIR set working dir for OVS daemons (default: $DAEMON_CWD) diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index b7680bb..93085ca 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -150,8 +150,13 @@ version_geq() { install_dir () { DIR="$1" + INSTALL_USER="root" + INSTALL_GROUP="root" + [ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}" + [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}" + if test ! -d "$DIR"; then - install -d -m 755 -o root -g root "$DIR" + install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR" restorecon "$DIR" >/dev/null 2>&1 fi } @@ -372,7 +377,11 @@ move_ip_routes () { } ovsdb_tool () { - ovsdb-tool -vconsole:off "$@" + if [ "$OVS_USER" != "" ]; then + runuser --user "${OVS_USER%:*}" -- ovsdb-tool -vconsole:off "$@" + else + ovsdb-tool -vconsole:off "$@" + fi } create_db () { -- 2.9.3 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev