This series attempts to introduce the ability to start and use Open vSwitch 'out of the box' as a non-root user. It does this by modifying the service files to pass the recently introduced --ovs-user argument around, and by making some minor tweaks to the passwd, group, and filesystem information.
I prefixed the packaging work with 'redhat', but if rpm or packaging is a preferred prefx for that work, I can respin. The more controversial changes are: * This modifies the /etc/sysconfig/ file on install. * The dpdk support directly modifies /dev/hugepages with a call to chmod * A new user 'openvswitch', and up to two new groups 'openvswitch', and 'hugetlbfs' are created After this series: > [root at wsfd-netdev60 ~]# yum install openvswitch-2.7.90-1.fc25.x86_64.rpm > Loaded plugins: product-id, search-disabled-repos, subscription-manager > This system is not registered to Red Hat Subscription Management. You can use > subscription-manager to register. > Examining openvswitch-2.7.90-1.fc25.x86_64.rpm: > openvswitch-2.7.90-1.fc25.x86_64 > Marking openvswitch-2.7.90-1.fc25.x86_64.rpm to be installed > Resolving Dependencies > --> Running transaction check > ---> Package openvswitch.x86_64 0:2.7.90-1.fc25 will be installed > --> Finished Dependency Resolution > > Dependencies Resolved > > ================================================================================ > Package Arch Version Repository > Size > ================================================================================ > Installing: > openvswitch x86_64 2.7.90-1.fc25 /openvswitch-2.7.90-1.fc25.x86_64 11 > M > > Transaction Summary > ================================================================================ > Install 1 Package > > Total size: 11 M > Installed size: 11 M > Is this ok [y/d/N]: y > Downloading packages: > Running transaction check > Running transaction test > Transaction test succeeded > Running transaction > Installing : openvswitch-2.7.90-1.fc25.x86_64 > 1/1 > Verifying : openvswitch-2.7.90-1.fc25.x86_64 > 1/1 > > Installed: > openvswitch.x86_64 0:2.7.90-1.fc25 > > > Complete! > [root at wsfd-netdev60 ~]# systemctl start openvswitch > [root at wsfd-netdev60 ~]# ps aux | grep ovs > openvsw+ 12642 0.0 0.0 47864 2296 ? S<s 10:57 0:00 > ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info > --remote=punix:/var/run/openvswitch/db.sock > --private-key=db:Open_vSwitch,SSL,private_key > --certificate=db:Open_vSwitch,SSL,certificate > --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user > openvswitch:openvswitch --no-chdir > --log-file=/var/log/openvswitch/ovsdb-server.log > --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach > openvsw+ 12688 0.0 0.0 49588 10600 ? S<Ls 10:57 0:00 > ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err > -vfile:info --mlockall --user openvswitch:openvswitch --no-chdir > --log-file=/var/log/openvswitch/ovs-vswitchd.log > --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach v1->v2: https://lists.linux-foundation.org/pipermail/ovs-dev/2017-June/333417.html The previous method used 3 different locations of configuration from environment variables: 1. The systemd file. 2. A new /etc/sysconfig/openvswitch-pre 3. The existing /etc/sysconfig/openvswitch Now, configuration is from two areas: 1. A new /etc/openvswitch/default.conf 2. The existing /etc/sysconfig/openvswitch As part of the install, we set the OVS_USER_ID to the new values. v2->v3: https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/334946.html Refactor for the dpdk non-root user portion due to an issue discovered where the generated service file didn't honor new configuration when re-running ./configure. Also, converted the "Reviewed-by" to "Acked-by". This is because there is no such thing as Reviewed-by in the OVS contributing guide. Finally, included some documentation updates. v3->v4: https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/336558.html Remove the makefile modifications Aaron Conole (5): redhat: allow arbitrary user:group redhat: dynamically allocate and reference ovs user dpdkstrip: add a preprocessor tool for stripping dpdk blocks redhat: dynamic service file for vswitchd redhat: allow dpdk to also run as non-root user Documentation/intro/install/dpdk.rst | 7 ++++ Makefile.am | 1 + NEWS | 1 + build-aux/dpdkstrip.pl | 35 +++++++++++++++++++ rhel/.gitignore | 1 + rhel/README.RHEL.rst | 11 ++++++ rhel/automake.mk | 5 ++- rhel/etc_openvswitch_default.conf | 5 +++ rhel/openvswitch-fedora.spec.in | 39 ++++++++++++++++++++++ ...usr_lib_systemd_system_ovs-vswitchd.service.in} | 8 +++++ rhel/usr_lib_systemd_system_ovsdb-server.service | 4 +++ ..._openvswitch_scripts_systemd_sysconfig.template | 3 ++ 12 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 build-aux/dpdkstrip.pl create mode 100644 rhel/etc_openvswitch_default.conf rename rhel/{usr_lib_systemd_system_ovs-vswitchd.service => usr_lib_systemd_system_ovs-vswitchd.service.in} (72%) -- 2.9.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev