Thanks, Ilya! > On 20 Feb 2023, at 22:21, Ilya Maximets <i.maxim...@ovn.org> wrote: > > On 2/15/23 22:20, Vladislav Odintsov wrote: >> Hi Ilya, >> >> Thats my bad - they were the initial names of options, which I renamed later >> and missed this place before sending a patch. >> I’m absolutely fine with proposed change. Please fold it while applying the >> patch. > > Thanks, Vladislav and Eelco! > I updated the NEWS and applied the change. > > Best regards, Ilya Maximets. > >> >> Thanks. >> >> regards, >> Vladislav Odintsov >> >>> On 15 Feb 2023, at 22:25, Ilya Maximets <i.maxim...@ovn.org> wrote: >>> >>> On 2/10/23 17:02, Vladislav Odintsov wrote: >>>> This patch adds new ovs-ctl options to pass umask configuration to allow >>>> OVS daemons set requested socket permissions on group. Previous >>>> behaviour (if using with systemd service unit) created sockets with 0750 >>>> permissions mask (group has no write permission). >>>> >>>> Write permission for group is reasonable in usecase, where ovs-vswitchd >>>> or ovsdb-server runs as a non-privileged user:group (say, >>>> openvswitch:openvswitch) and it is needed to access unix socket from >>>> process running as another non-privileged user. In this case >>>> administrator has to add that user to openvswitch group and can connect >>>> to OVS sockets from a process running under that user. >>>> >>>> Two new ovs-ctl options --ovsdb-server-umask and --ovs-vswitchd-umask >>>> were added to manage umask values for appropriate daemons. This is >>>> useful for systemd users: both ovs-vswitchd and ovsdb-server systemd >>>> units read options from single /etc/sysconfig/openvswitch configuration >>>> file. So, with separate options it is possible to set umask only for >>>> specific daemon. >>>> >>>> OPTIONS="--ovsdb-server-umask=0002" >>>> >>>> in /etc/openvswitch/sysconfig file will set umask to 0002 value before >>>> starting only ovsdb-server, while >>>> >>>> OPTIONS="--ovs-vswitchd-umask=0002" >>>> >>>> will set umask to ovs-vswitchd daemon. >>>> >>>> Previous behaviour (not setting umask) is left as default. >>>> >>>> Reported-at: >>>> https://mail.openvswitch.org/pipermail/ovs-dev/2023-January/401501.html >>>> Signed-off-by: Vladislav Odintsov <odiv...@gmail.com> >>>> >>>> --- >>>> v2 -> v3: >>>> - addressed Eelco's review comments. >>>> >>>> v1 -> v2: >>>> - added item in NEWS file as Ilya's suggestion; >>>> - addressed Eelco's review comments; >>>> - moved umask call from ovs-ctl to ovs-lib; >>>> - added restoration of umask to effective value before the umask change; >>>> - previous version --ovs-umask option was split into two: >>>> --ovs-vswitchd-umask and --ovsdb-server-umask in order to make >>>> possible umask configuration for specific daemon when running with >>>> systemd. >>>> --- >>>> NEWS | 7 +++++++ >>>> utilities/ovs-ctl.in | 16 ++++++++++++---- >>>> utilities/ovs-lib.in | 17 ++++++++++++++--- >>>> 3 files changed, 33 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/NEWS b/NEWS >>>> index fe6055a27..f7df598bd 100644 >>>> --- a/NEWS >>>> +++ b/NEWS >>>> @@ -4,6 +4,13 @@ Post-v3.1.0 >>>> * OVS now collects per-interface upcall statistics that can be obtained >>>> via 'ovs-appctl dpctl/show -s' or the interface's statistics column >>>> in OVSDB. Available with upstream kernel 6.2+. >>>> + - ovs-ctl: >>>> + * Added support to set umask value when starting OVS daemons. New >>>> options >>>> + --ovsdb-server-umask=MODE and --ovs-vswitchd-umask=MODE were added >>>> for >>>> + that. For instance, when write access on befalf of OVS group is >>>> needed >>>> + for ovsdb-server, pass --ovsdb-umask=0002. Use --vswitchd-umask >>>> to set >>>> + umask ovs-vswitchd daemon umask. This will allow ovsdb-server or >>>> + ovs-vswitchd to create sockets with access mode of 0770. >>> >>> The options in the example are incorrect. >>> Also, the text seems slightly too extensive. >>> >>> What do you think about this: >>> >>> - ovs-ctl: >>> * Added new options --[ovsdb-server|ovs-vswitchd]-umask=MODE to set umask >>> value when starting OVS daemons. E.g., use --ovsdb-server-umask=0002 >>> in order to create OVSDB sockets with access mode of 0770. >>> >>> ? >>> >>> I could fold this in while applying the change. >>> >>> Best regards, Ilya Maximets. > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Regards, Vladislav Odintsov _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
