[ovs-dev] [PATCH v2 1/4] redhat: allow arbitrary user:group

Aaron Conole Wed, 05 Jul 2017 10:57:06 -0700

Under rpm based distributions, the only user:group that the rhel daemons run
as is 'root:root'.  This is fine as a default, but as part of a security
procedure, users may want to run as an alternate uid/gid.  This commit
adds an OVS_USER_ID environment variable for systemd, which defaults to
root:root, but can be overridden by changing the /etc/sysconfig/openvswitch
environment file.


Reviewed-by: Markos Chandras <mchand...@suse.de>
Signed-off-by: Aaron Conole <acon...@redhat.com>
---
 rhel/automake.mk                                              | 1 +
 rhel/etc_openvswitch_default.conf                             | 5 +++++
 rhel/openvswitch-fedora.spec.in                               | 4 ++++
 rhel/usr_lib_systemd_system_ovs-vswitchd.service              | 3 +++
 rhel/usr_lib_systemd_system_ovsdb-server.service              | 3 +++
 rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template | 3 +++
 6 files changed, 19 insertions(+)
 create mode 100644 rhel/etc_openvswitch_default.conf

diff --git a/rhel/automake.mk b/rhel/automake.mk
index 1265fa7..2d9443f 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -10,6 +10,7 @@ EXTRA_DIST += \
        rhel/automake.mk \
        rhel/etc_init.d_openvswitch \
        rhel/etc_logrotate.d_openvswitch \
+       rhel/etc_openvswitch_default.conf \
        rhel/etc_sysconfig_network-scripts_ifdown-ovs \
        rhel/etc_sysconfig_network-scripts_ifup-ovs \
        rhel/openvswitch-dkms.spec \
diff --git a/rhel/etc_openvswitch_default.conf 
b/rhel/etc_openvswitch_default.conf
new file mode 100644
index 0000000..c74417d
--- /dev/null
+++ b/rhel/etc_openvswitch_default.conf
@@ -0,0 +1,5 @@
+# DO NOT EDIT THIS FILE
+
+# The following is the *default* configuration for the openvswitch user ID.
+# This is for backward compatibility.
+OVS_USER_ID="root:root"
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index f822ad3..88d4331 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -246,6 +246,9 @@ done
 install -m 0755 rhel/etc_init.d_openvswitch \
         $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/openvswitch.init
 
+install -p -D -m 0644 rhel/etc_openvswitch_default.conf \
+        $RPM_BUILD_ROOT/%{_sysconfdir}/openvswitch/default.conf
+
 install -p -D -m 0644 rhel/etc_logrotate.d_openvswitch \
         $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/openvswitch
 
@@ -481,6 +484,7 @@ fi
 %{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash
 %{_sysconfdir}/bash_completion.d/ovs-vsctl-bashcomp.bash
 %dir %{_sysconfdir}/openvswitch
+%{_sysconfdir}/openvswitch/default.conf
 %config %ghost %{_sysconfdir}/openvswitch/conf.db
 %ghost %{_sysconfdir}/openvswitch/.conf.db.~lock~
 %config %ghost %{_sysconfdir}/openvswitch/system-id.conf
diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service 
b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
index 22a4c63..48231b3 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service
@@ -10,11 +10,14 @@ PartOf=openvswitch.service
 [Service]
 Type=forking
 Restart=on-failure
+EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           restart $OPTIONS
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service 
b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 68deace..b82cb33 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -8,12 +8,15 @@ PartOf=openvswitch.service
 [Service]
 Type=forking
 Restart=on-failure
+EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
+          --ovs-user=${OVS_USER_ID} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
+           --ovs-user=${OVS_USER_ID} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755
diff --git a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template 
b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
index 3050a07..fdaee00 100644
--- a/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
+++ b/rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template
@@ -21,3 +21,6 @@
 #   --ovsdb-server-wrapper=valgrind
 #
 OPTIONS=""
+
+# Uncomment and set the OVS User/Group value
+#OVS_USER_ID="openvswitch:openvswitch"
-- 
2.9.4

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH v2 1/4] redhat: allow arbitrary user:group

Reply via email to