After this commit, users may start a dpdk-enabled ovs setup as a non-root user. This is accomplished by exporting the $HOME directory, which dpdk uses to fill in it's semi-persistent RTE configuration.
This change may be a bit controversial since it modifies /dev/hugepages as part of starting the ovs-vswitchd to set a hugetlbfs group ownership. This is used to enable writing to /dev/hugepages so that the dpdk_init will successfully complete. There is an alternate way of accomplishing this - namely to initialize DPDK before dropping privileges. However, this would mean that if DPDK ever grows an uninit / reinit function, non-root ovs likely could never use it. This does not change OvS+DPDK's SELinux requirements. It still must be disabled. Signed-off-by: Aaron Conole <[email protected]> --- rhel/.gitignore | 1 + rhel/automake.mk | 3 ++- rhel/openvswitch-fedora.spec.in | 13 +++++++++++++ ...rvice => usr_lib_systemd_system_ovs-vswitchd.service.in} | 4 ++++ 4 files changed, 20 insertions(+), 1 deletion(-) rename rhel/{usr_lib_systemd_system_ovs-vswitchd.service => usr_lib_systemd_system_ovs-vswitchd.service.in} (87%) diff --git a/rhel/.gitignore b/rhel/.gitignore index 164bb66..e584a1e 100644 --- a/rhel/.gitignore +++ b/rhel/.gitignore @@ -4,3 +4,4 @@ openvswitch-kmod-rhel6.spec openvswitch-kmod-fedora.spec openvswitch.spec openvswitch-fedora.spec +usr_lib_systemd_system_ovs-vswitchd.service diff --git a/rhel/automake.mk b/rhel/automake.mk index 1265fa7..2d58a58 100644 --- a/rhel/automake.mk +++ b/rhel/automake.mk @@ -28,6 +28,7 @@ EXTRA_DIST += \ rhel/usr_lib_systemd_system_openvswitch.service \ rhel/usr_lib_systemd_system_ovsdb-server.service \ rhel/usr_lib_systemd_system_ovs-vswitchd.service \ + rhel/usr_lib_systemd_system_ovs-vswitchd.service.in \ rhel/usr_lib_systemd_system_ovn-controller.service \ rhel/usr_lib_systemd_system_ovn-controller-vtep.service \ rhel/usr_lib_systemd_system_ovn-northd.service \ @@ -58,7 +59,7 @@ RPMBUILD_TOP := $(abs_top_builddir)/rpm/rpmbuild RPMBUILD_OPT ?= --without check # Build user-space RPMs -rpm-fedora: dist $(srcdir)/rhel/openvswitch-fedora.spec +rpm-fedora: dist $(srcdir)/rhel/openvswitch-fedora.spec rhel/usr_lib_systemd_system_ovs-vswitchd.service ${MKDIR_P} ${RPMBUILD_TOP}/SOURCES cp ${DIST_ARCHIVES} ${RPMBUILD_TOP}/SOURCES rpmbuild ${RPMBUILD_OPT} \ diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index f4da735..26dd3c8 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -94,6 +94,10 @@ Requires: openssl hostname iproute module-init-tools Requires(post): /usr/bin/getent Requires(post): /usr/sbin/useradd +%if %{with dpdk} +Requires(post): /usr/sbin/usermod +Requires(post): /usr/sbin/groupadd +%endif Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -362,6 +366,15 @@ if [ $1 -eq 1 ]; then echo "OVS_USER_ID=openvswitch:openvswitch" > \ %{_sysconfdir}/sysconfig/openvswitch-pre +%if %{with dpdk} + getent group hugetlbfs >/dev/null || \ + groupadd hugetlbfs + + usermod -a -G hugetlbfs openvswitch + echo "OVS_USER_ID=openvswitch:hugetlbfs" > \ + %{_sysconfdir}/sysconfig/openvswitch-pre +%endif + # In the case of upgrade, this is not needed. install -d -m 0755 -o openvswitch -g openvswitch /etc/openvswitch fi diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in similarity index 87% rename from rhel/usr_lib_systemd_system_ovs-vswitchd.service rename to rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index 0434d20..8c60e86 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -11,8 +11,12 @@ PartOf=openvswitch.service Type=forking Restart=on-failure Environment="OVS_USER_ID=root:root" +Environment="HOME=/var/run/openvswitch" EnvironmentFile=-/etc/sysconfig/openvswitch-pre EnvironmentFile=-/etc/sysconfig/openvswitch +@begin_dpdk@ +ExecStartPre="/usr/sbin/chown :hugetlbfs /dev/hugepages" +@end_dpdk@ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ --ovs-user=${OVS_USER_ID} \ -- 2.9.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
