After this commit, users may start a dpdk-enabled ovs setup as a non-root user. This is accomplished by exporting the $HOME directory, which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages as part of starting the ovs-vswitchd to set a hugetlbfs group ownership. This is used to enable writing to /dev/hugepages so that the dpdk_init will successfully complete. There is an alternate way of accomplishing this - namely to initialize DPDK before dropping privileges. However, this would mean that if DPDK ever grows an uninit / reinit function, non-root ovs likely could never use it. Signed-off-by: Aaron Conole <[email protected]> --- rhel/openvswitch-fedora.spec.in | 25 ++++++++++++++++++++++++ rhel/usr_lib_systemd_system_ovs-vswitchd.service | 2 ++ 2 files changed, 27 insertions(+) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 5f5e89d..f4aa5e4 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -93,6 +93,10 @@ Requires: openssl hostname iproute module-init-tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/useradd +%if %{with dpdk} +Requires(post): /usr/sbin/usermod +Requires(post): /usr/sbin/groupadd +%endif Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -362,6 +366,16 @@ rm -rf $RPM_BUILD_ROOT echo "OVS_USER_ID=openvswitch:openvswitch" > \ /etc/sysconfig/openvswitch-pre + +%if %{with_dpdk} + getent group hugetlbfs >/dev/null || \ + groupadd hugetlbfs + + echo "OVS_USER_ID=openvswitch:hugetlbfs" > \ + /etc/sysconfig/openvswitch-pre +%endif + + install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch fi %systemd_post %{name}.service %else @@ -373,6 +387,17 @@ rm -rf $RPM_BUILD_ROOT echo "OVS_USER_ID=openvswitch:openvswitch" > \ /etc/sysconfig/openvswitch-pre + +%if %{with_dpdk} + getent group hugetlbfs >/dev/null || \ + groupadd hugetlbfs + usermod -a -G hugetlbfs openvswitch + echo "OVS_USER_ID=openvswitch:hugetlbfs" > \ + /etc/sysconfig/openvswitch-pre +%endif + + install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch + /bin/systemctl daemon-reload >dev/null || : fi %endif diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service b/rhel/usr_lib_systemd_system_ovs-vswitchd.service index 0434d20..a0c8233 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service @@ -11,8 +11,10 @@ PartOf=openvswitch.service Type=forking Restart=on-failure Environment="OVS_USER_ID=root:root" +Environment="HOME=/var/run/openvswitch" EnvironmentFile=-/etc/sysconfig/openvswitch-pre EnvironmentFile=-/etc/sysconfig/openvswitch +ExecStartPre="/usr/sbin/chown :hugetlbfs /dev/hugepages" ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ --ovs-user=${OVS_USER_ID} \ -- 2.9.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
