subject:"\[ovs\-dev\] \[PATCH\] rhel\: if rpms were built without libcapng then let processrs to run as root"

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-17 Thread Aaron Conole

Ansis Atteka  writes:

> On Tue, 16 Apr 2019 at 12:36, Ansis Atteka  wrote:
>>
>> On Tue, 16 Apr 2019 at 10:46, Aaron Conole  wrote:
>> >
>> > Ansis Atteka  writes:
>> >
>> > > Otherwise, Open vSwitch will fail to start with the following
>> > > error "libcap-ng is not configured at compile time" when it
>> > > attempts to downgrade to Open vSwitch user.
>> > >
>> > > Also, if packages were built in a way where processes are
>> > > supposed to be running only as root, then there is no point
>> > > in creating "openvswitch" user in the first place.
>> > >
>> > > Signed-off-by: Ansis Atteka 
>> > > ---
>> >
>> > It seems strange to not provide a user-downgrade option just because we
>> > cannot drop capabilities via libcap-ng.
>>
>> I did not look too close in the daemon-unix.c, but I believe in
>> current design "linux capabilities" and "linux user downgrade" go hand
>> in hand (i.e. you either do both or neither). At least for Linux
>> Kernel datapath. Not sure about other datapaths.

I guess this is because we need cap_net_admin, cap_net_raw, etc.,
but it's possible to keep this even without using libcap-ng (or even
needing programmatic idiom, iirc).  For example, it is possible to
attach these capabilities to the ovs-vswitchd binary on the filesystem
(for filesystems which support) and thereby provide this functionality
without needing libcap-ng.

Then we retain the ability to run as a (mostly) unprivileged user, and
still provide the control and slow-path for the kernel space side.

>> >
>> > Maybe it's possible instead to change daemon-unix.c to provide an
>> > alternative fallback when building on linux without libcapng?  Something
>> > like the untested code here.  I have no idea if all of the capabilities
>> > will get dropped when the user/group ids are changed, but we might be
>> > able to deal with that as well.  WDYT?
>>
>> I can take a look at that and if there is a valid use-case I can send
>> another patch addressing that specific issue. However, I think we can
>> at this time proceed with this patch, because
>> 1. it fixes fatal bug when OVS was built without libcap-ng support; AND
>> 2. it does break anything when OVS was built with libcap-ng support.
>
> meant to say "it does NOT break anything"
>>
>> Let me know what you think and if I am missing something? Is your main
>> concern that if there turns out to be a valid use case to not have
>> libcap-ng support but still user downgrade feature, then portions of
>> this patch will need to be reverted? If so, I am fine with that...

RHEL systems run as non-root user by default.  I think it's a valid
use-case.  I agree, we need to address the issue when building without
libcap-ng.  Can you check if it is possible to update the RPM build so
that the file capabilities are attached to the ovs-vswitchd executable
directly?  If it works, it would allow us to achieve the same end result
in an alternative path.

>> >
>> > diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
>> > index 6169763c2..cd2f66295 100644
>> > --- a/lib/daemon-unix.c
>> > +++ b/lib/daemon-unix.c
>> > @@ -859,9 +859,10 @@ daemon_become_new_user__(bool access_datapath)
>> >  if (LIBCAPNG) {
>> >  daemon_become_new_user_linux(access_datapath);
>> >  } else {
>> > -VLOG_FATAL("%s: fail to downgrade user using libcap-ng. "
>> > -   "(libcap-ng is not configured at compile time), "
>> > -   "aborting.", pidfile);
>> > +VLOG_INFO("%s: fail to downgrade user using libcap-ng. "
>> > +  "(libcap-ng is not configured at compile time).",
>> > +  pidfile);
>> > +daemon_become_new_user_unix();
>> >  }
>> >  } else {
>> >  daemon_become_new_user_unix();
>> >
>> >
>> > >  poc/playbook-fedora-builder.yml | 6 +++---
>> > >  rhel/openvswitch-fedora.spec.in | 8 
>> > >  2 files changed, 11 insertions(+), 3 deletions(-)
>> > >
>> > > diff --git a/poc/playbook-fedora-builder.yml 
>> > > b/poc/playbook-fedora-builder.yml
>> > > index 70f0b6ff2..b955714fc 100644
>> > > --- a/poc/playbook-fedora-builder.yml
>> > > +++ b/poc/playbook-fedora-builder.yml
>> > > @@ -99,17 +99,17 @@
>> > >- openvswitch-dkms.spec
>> > >
>> > >- name: Build Open vSwitch user space rpms
>> > > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
>> > > +command: rpmbuild -bb --without check --without libcapng 
>> > > rhel/openvswitch-fedora.spec
>> > >  args:
>> > >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>> > >
>> > >- name: Build Open vSwitch kmod rpm
>> > > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
>> > > +command: rpmbuild -bb --without check --without libcapng 
>> > > rhel/openvswitch-fedora.spec
>> > >  args:
>> > >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>> > >
>> > >- name: Build Open vSwitch dkms rpm
>> > > -command: rpmbui

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-16 Thread Ansis Atteka

On Tue, 16 Apr 2019 at 12:36, Ansis Atteka  wrote:
>
> On Tue, 16 Apr 2019 at 10:46, Aaron Conole  wrote:
> >
> > Ansis Atteka  writes:
> >
> > > Otherwise, Open vSwitch will fail to start with the following
> > > error "libcap-ng is not configured at compile time" when it
> > > attempts to downgrade to Open vSwitch user.
> > >
> > > Also, if packages were built in a way where processes are
> > > supposed to be running only as root, then there is no point
> > > in creating "openvswitch" user in the first place.
> > >
> > > Signed-off-by: Ansis Atteka 
> > > ---
> >
> > It seems strange to not provide a user-downgrade option just because we
> > cannot drop capabilities via libcap-ng.
>
> I did not look too close in the daemon-unix.c, but I believe in
> current design "linux capabilities" and "linux user downgrade" go hand
> in hand (i.e. you either do both or neither). At least for Linux
> Kernel datapath. Not sure about other datapaths.
>
> >
> > Maybe it's possible instead to change daemon-unix.c to provide an
> > alternative fallback when building on linux without libcapng?  Something
> > like the untested code here.  I have no idea if all of the capabilities
> > will get dropped when the user/group ids are changed, but we might be
> > able to deal with that as well.  WDYT?
>
> I can take a look at that and if there is a valid use-case I can send
> another patch addressing that specific issue. However, I think we can
> at this time proceed with this patch, because
> 1. it fixes fatal bug when OVS was built without libcap-ng support; AND
> 2. it does break anything when OVS was built with libcap-ng support.

meant to say "it does NOT break anything"
>
> Let me know what you think and if I am missing something? Is your main
> concern that if there turns out to be a valid use case to not have
> libcap-ng support but still user downgrade feature, then portions of
> this patch will need to be reverted? If so, I am fine with that...
> >
> > diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
> > index 6169763c2..cd2f66295 100644
> > --- a/lib/daemon-unix.c
> > +++ b/lib/daemon-unix.c
> > @@ -859,9 +859,10 @@ daemon_become_new_user__(bool access_datapath)
> >  if (LIBCAPNG) {
> >  daemon_become_new_user_linux(access_datapath);
> >  } else {
> > -VLOG_FATAL("%s: fail to downgrade user using libcap-ng. "
> > -   "(libcap-ng is not configured at compile time), "
> > -   "aborting.", pidfile);
> > +VLOG_INFO("%s: fail to downgrade user using libcap-ng. "
> > +  "(libcap-ng is not configured at compile time).",
> > +  pidfile);
> > +daemon_become_new_user_unix();
> >  }
> >  } else {
> >  daemon_become_new_user_unix();
> >
> >
> > >  poc/playbook-fedora-builder.yml | 6 +++---
> > >  rhel/openvswitch-fedora.spec.in | 8 
> > >  2 files changed, 11 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/poc/playbook-fedora-builder.yml 
> > > b/poc/playbook-fedora-builder.yml
> > > index 70f0b6ff2..b955714fc 100644
> > > --- a/poc/playbook-fedora-builder.yml
> > > +++ b/poc/playbook-fedora-builder.yml
> > > @@ -99,17 +99,17 @@
> > >- openvswitch-dkms.spec
> > >
> > >- name: Build Open vSwitch user space rpms
> > > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> > > +command: rpmbuild -bb --without check --without libcapng 
> > > rhel/openvswitch-fedora.spec
> > >  args:
> > >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> > >
> > >- name: Build Open vSwitch kmod rpm
> > > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> > > +command: rpmbuild -bb --without check --without libcapng 
> > > rhel/openvswitch-fedora.spec
> > >  args:
> > >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> > >
> > >- name: Build Open vSwitch dkms rpm
> > > -command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
> > > +command: rpmbuild -bb --without check --without libcapng 
> > > rhel/openvswitch-dkms.spec
> > >  args:
> > >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> > >
> > > diff --git a/rhel/openvswitch-fedora.spec.in 
> > > b/rhel/openvswitch-fedora.spec.in
> > > index c1cd3f4c6..ce728b4f0 100644
> > > --- a/rhel/openvswitch-fedora.spec.in
> > > +++ b/rhel/openvswitch-fedora.spec.in
> > > @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
> > >  %endif
> > >
> > >  %pre
> > > +%if %{with libcapng}
> > >  getent group openvswitch >/dev/null || groupadd -r openvswitch
> > >  getent passwd openvswitch >/dev/null || \
> > >  useradd -r -g openvswitch -d / -s /sbin/nologin \
> > > @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
> > >  getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
> > >  usermod -a -G hugetlbfs openvswitch
> > >  %endif
> > > +%endif
> > >  exit 0
> > >
> > >  %post
> > > +%if

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-16 Thread Ansis Atteka

On Tue, 16 Apr 2019 at 10:46, Aaron Conole  wrote:
>
> Ansis Atteka  writes:
>
> > Otherwise, Open vSwitch will fail to start with the following
> > error "libcap-ng is not configured at compile time" when it
> > attempts to downgrade to Open vSwitch user.
> >
> > Also, if packages were built in a way where processes are
> > supposed to be running only as root, then there is no point
> > in creating "openvswitch" user in the first place.
> >
> > Signed-off-by: Ansis Atteka 
> > ---
>
> It seems strange to not provide a user-downgrade option just because we
> cannot drop capabilities via libcap-ng.

I did not look too close in the daemon-unix.c, but I believe in
current design "linux capabilities" and "linux user downgrade" go hand
in hand (i.e. you either do both or neither). At least for Linux
Kernel datapath. Not sure about other datapaths.

>
> Maybe it's possible instead to change daemon-unix.c to provide an
> alternative fallback when building on linux without libcapng?  Something
> like the untested code here.  I have no idea if all of the capabilities
> will get dropped when the user/group ids are changed, but we might be
> able to deal with that as well.  WDYT?

I can take a look at that and if there is a valid use-case I can send
another patch addressing that specific issue. However, I think we can
at this time proceed with this patch, because
1. it fixes fatal bug when OVS was built without libcap-ng support; AND
2. it does break anything when OVS was built with libcap-ng support.

Let me know what you think and if I am missing something? Is your main
concern that if there turns out to be a valid use case to not have
libcap-ng support but still user downgrade feature, then portions of
this patch will need to be reverted? If so, I am fine with that...
>
> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
> index 6169763c2..cd2f66295 100644
> --- a/lib/daemon-unix.c
> +++ b/lib/daemon-unix.c
> @@ -859,9 +859,10 @@ daemon_become_new_user__(bool access_datapath)
>  if (LIBCAPNG) {
>  daemon_become_new_user_linux(access_datapath);
>  } else {
> -VLOG_FATAL("%s: fail to downgrade user using libcap-ng. "
> -   "(libcap-ng is not configured at compile time), "
> -   "aborting.", pidfile);
> +VLOG_INFO("%s: fail to downgrade user using libcap-ng. "
> +  "(libcap-ng is not configured at compile time).",
> +  pidfile);
> +daemon_become_new_user_unix();
>  }
>  } else {
>  daemon_become_new_user_unix();
>
>
> >  poc/playbook-fedora-builder.yml | 6 +++---
> >  rhel/openvswitch-fedora.spec.in | 8 
> >  2 files changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/poc/playbook-fedora-builder.yml 
> > b/poc/playbook-fedora-builder.yml
> > index 70f0b6ff2..b955714fc 100644
> > --- a/poc/playbook-fedora-builder.yml
> > +++ b/poc/playbook-fedora-builder.yml
> > @@ -99,17 +99,17 @@
> >- openvswitch-dkms.spec
> >
> >- name: Build Open vSwitch user space rpms
> > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> > +command: rpmbuild -bb --without check --without libcapng 
> > rhel/openvswitch-fedora.spec
> >  args:
> >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> >
> >- name: Build Open vSwitch kmod rpm
> > -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> > +command: rpmbuild -bb --without check --without libcapng 
> > rhel/openvswitch-fedora.spec
> >  args:
> >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> >
> >- name: Build Open vSwitch dkms rpm
> > -command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
> > +command: rpmbuild -bb --without check --without libcapng 
> > rhel/openvswitch-dkms.spec
> >  args:
> >  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
> >
> > diff --git a/rhel/openvswitch-fedora.spec.in 
> > b/rhel/openvswitch-fedora.spec.in
> > index c1cd3f4c6..ce728b4f0 100644
> > --- a/rhel/openvswitch-fedora.spec.in
> > +++ b/rhel/openvswitch-fedora.spec.in
> > @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
> >  %endif
> >
> >  %pre
> > +%if %{with libcapng}
> >  getent group openvswitch >/dev/null || groupadd -r openvswitch
> >  getent passwd openvswitch >/dev/null || \
> >  useradd -r -g openvswitch -d / -s /sbin/nologin \
> > @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
> >  getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
> >  usermod -a -G hugetlbfs openvswitch
> >  %endif
> > +%endif
> >  exit 0
> >
> >  %post
> > +%if %{with libcapng}
> >  if [ $1 -eq 1 ]; then
> >  sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
> >  sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' 
> > %{_sysconfdir}/logrotate.d/openvswitch
> > @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
> >  chown -R openvswitch:openvswitch /etc/openvsw

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-16 Thread Aaron Conole

Ansis Atteka  writes:

> Otherwise, Open vSwitch will fail to start with the following
> error "libcap-ng is not configured at compile time" when it
> attempts to downgrade to Open vSwitch user.
>
> Also, if packages were built in a way where processes are
> supposed to be running only as root, then there is no point
> in creating "openvswitch" user in the first place.
>
> Signed-off-by: Ansis Atteka 
> ---

It seems strange to not provide a user-downgrade option just because we
cannot drop capabilities via libcap-ng.

Maybe it's possible instead to change daemon-unix.c to provide an
alternative fallback when building on linux without libcapng?  Something
like the untested code here.  I have no idea if all of the capabilities
will get dropped when the user/group ids are changed, but we might be
able to deal with that as well.  WDYT?

diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
index 6169763c2..cd2f66295 100644
--- a/lib/daemon-unix.c
+++ b/lib/daemon-unix.c
@@ -859,9 +859,10 @@ daemon_become_new_user__(bool access_datapath)
 if (LIBCAPNG) {
 daemon_become_new_user_linux(access_datapath);
 } else {
-VLOG_FATAL("%s: fail to downgrade user using libcap-ng. "
-   "(libcap-ng is not configured at compile time), "
-   "aborting.", pidfile);
+VLOG_INFO("%s: fail to downgrade user using libcap-ng. "
+  "(libcap-ng is not configured at compile time).",
+  pidfile);
+daemon_become_new_user_unix();
 }
 } else {
 daemon_become_new_user_unix();


>  poc/playbook-fedora-builder.yml | 6 +++---
>  rhel/openvswitch-fedora.spec.in | 8 
>  2 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/poc/playbook-fedora-builder.yml b/poc/playbook-fedora-builder.yml
> index 70f0b6ff2..b955714fc 100644
> --- a/poc/playbook-fedora-builder.yml
> +++ b/poc/playbook-fedora-builder.yml
> @@ -99,17 +99,17 @@
>- openvswitch-dkms.spec
>  
>- name: Build Open vSwitch user space rpms
> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +command: rpmbuild -bb --without check --without libcapng 
> rhel/openvswitch-fedora.spec
>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>  
>- name: Build Open vSwitch kmod rpm
> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +command: rpmbuild -bb --without check --without libcapng 
> rhel/openvswitch-fedora.spec
>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>  
>- name: Build Open vSwitch dkms rpm
> -command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
> +command: rpmbuild -bb --without check --without libcapng 
> rhel/openvswitch-dkms.spec
>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>  
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index c1cd3f4c6..ce728b4f0 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
>  %endif
>  
>  %pre
> +%if %{with libcapng}
>  getent group openvswitch >/dev/null || groupadd -r openvswitch
>  getent passwd openvswitch >/dev/null || \
>  useradd -r -g openvswitch -d / -s /sbin/nologin \
> @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
>  getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
>  usermod -a -G hugetlbfs openvswitch
>  %endif
> +%endif
>  exit 0
>  
>  %post
> +%if %{with libcapng}
>  if [ $1 -eq 1 ]; then
>  sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
>  sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' 
> %{_sysconfdir}/logrotate.d/openvswitch
> @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
>  chown -R openvswitch:openvswitch /etc/openvswitch
>  chown -R openvswitch:openvswitch /var/log/openvswitch
>  fi
> +%endif
>  
>  %if 0%{?systemd_post:1}
>  %systemd_post %{name}.service
> @@ -445,7 +449,11 @@ fi
>  %endif
>  
>  %files
> +%if %{with libcapng}
>  %defattr(-,openvswitch,openvswitch)
> +%else
> +%defattr(-,root,root)
> +%endif
>  %dir %{_sysconfdir}/openvswitch
>  %{_sysconfdir}/openvswitch/default.conf
>  %config %ghost %{_sysconfdir}/openvswitch/conf.db
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-16 Thread Darrell Ball

For '3' comment below:

s/Regarding playbook-fedora-builder.yml in general, there is issue with
playbook-fedora-builder.yml, assuming I use "as is"./
Regarding POC in general, there is an issue with POC for Fedora usage,
assuming I use "as is"./

On Mon, Apr 15, 2019 at 11:21 PM Darrell Ball  wrote:

> Thanks for the fix
>
> 1/ Main changes to openvswitch-fedora.spec.in look ok to me, but we
> should probably also see if there is any specific use
> case concerns from others.
>
> 2/ Couple comments inline
>
> 3/ Regarding playbook-fedora-builder.yml in general, there is issue with
> playbook-fedora-builder.yml, assuming I use "as is".
>
>
> dball@ubuntu:~/ovs/poc/builders$ sudo vagrant up
> DEPRECATION: The 'sudo' option for the Ansible provisioner is deprecated.
> Please use the 'become' option instead.
> The 'sudo' option will be removed in a future release of Vagrant.
>
> Bringing machine 'fedorabuilder' up with 'virtualbox' provider...
> ==> fedorabuilder: Box 'fedora/27-cloud-base' could not be found.
> Attempting to find and install...
> fedorabuilder: Box Provider: virtualbox
> fedorabuilder: Box Version: >= 0
> ==> fedorabuilder: Loading metadata for box 'fedora/27-cloud-base'
> fedorabuilder: URL: https://vagrantcloud.com/fedora/27-cloud-base
> ==> fedorabuilder: Adding box 'fedora/27-cloud-base' (v20171105) for
> provider: virtualbox
> fedorabuilder: Downloading:
> https://vagrantcloud.com/fedora/boxes/27-cloud-base/versions/20171105/providers/virtualbox.box
> fedorabuilder: Download redirected to host: download.fedoraproject.org
> An error occurred while downloading the remote file. The error
> message, if any, is reproduced below. Please fix this error and try
> again.
>
> The requested URL returned error: 404 Not Found
>
> On Mon, Apr 15, 2019 at 6:26 PM Ansis Atteka  wrote:
>
>> Otherwise, Open vSwitch will fail to start with the following
>> error "libcap-ng is not configured at compile time" when it
>> attempts to downgrade to Open vSwitch user.
>>
>> Also, if packages were built in a way where processes are
>> supposed to be running only as root, then there is no point
>> in creating "openvswitch" user in the first place.
>>
>> Signed-off-by: Ansis Atteka 
>> ---
>>  poc/playbook-fedora-builder.yml | 6 +++---
>>  rhel/openvswitch-fedora.spec.in | 8 
>>  2 files changed, 11 insertions(+), 3 deletions(-)
>>
>> diff --git a/poc/playbook-fedora-builder.yml
>> b/poc/playbook-fedora-builder.yml
>> index 70f0b6ff2..b955714fc 100644
>> --- a/poc/playbook-fedora-builder.yml
>> +++ b/poc/playbook-fedora-builder.yml
>> @@ -99,17 +99,17 @@
>>- openvswitch-dkms.spec
>>
>>- name: Build Open vSwitch user space rpms
>> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
>> +command: rpmbuild -bb --without check --without libcapng
>> rhel/openvswitch-fedora.spec
>>  args:
>>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>>
>>- name: Build Open vSwitch kmod rpm
>> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
>> +command: rpmbuild -bb --without check --without libcapng
>> rhel/openvswitch-fedora.spec
>>
>
> Is the correct spec file openvswitch-kmod-fedora.spec ?
> Hence, do we need a change here ?
>
>
>>  args:
>>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>>
>>- name: Build Open vSwitch dkms rpm
>> -command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
>> +command: rpmbuild -bb --without check --without libcapng
>> rhel/openvswitch-dkms.spec
>>
>
> Do you need this line changed ?
>
>
>
>>  args:
>>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>>
>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
>> openvswitch-fedora.spec.in
>> index c1cd3f4c6..ce728b4f0 100644
>> --- a/rhel/openvswitch-fedora.spec.in
>> +++ b/rhel/openvswitch-fedora.spec.in
>> @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
>>  %endif
>>
>>  %pre
>> +%if %{with libcapng}
>>  getent group openvswitch >/dev/null || groupadd -r openvswitch
>>  getent passwd openvswitch >/dev/null || \
>>  useradd -r -g openvswitch -d / -s /sbin/nologin \
>> @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
>>  getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
>>  usermod -a -G hugetlbfs openvswitch
>>  %endif
>> +%endif
>>  exit 0
>>
>>  %post
>> +%if %{with libcapng}
>>  if [ $1 -eq 1 ]; then
>>  sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
>>  sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:'
>> %{_sysconfdir}/logrotate.d/openvswitch
>> @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
>>  chown -R openvswitch:openvswitch /etc/openvswitch
>>  chown -R openvswitch:openvswitch /var/log/openvswitch
>>  fi
>> +%endif
>>
>>  %if 0%{?systemd_post:1}
>>  %systemd_post %{name}.service
>> @@ -445,7 +449,11 @@ fi
>>  %endif
>>
>>  %files
>> +%if %{with libcapng}
>>  %defattr(-,openvswitch,openvswitch)
>> +%else
>> +%defattr(

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-15 Thread Darrell Ball

Thanks for the fix

1/ Main changes to openvswitch-fedora.spec.in look ok to me, but we should
probably also see if there is any specific use
case concerns from others.

2/ Couple comments inline

3/ Regarding playbook-fedora-builder.yml in general, there is issue with
playbook-fedora-builder.yml, assuming I use "as is".

dball@ubuntu:~/ovs/poc/builders$ sudo vagrant up
DEPRECATION: The 'sudo' option for the Ansible provisioner is deprecated.
Please use the 'become' option instead.
The 'sudo' option will be removed in a future release of Vagrant.

Bringing machine 'fedorabuilder' up with 'virtualbox' provider...
==> fedorabuilder: Box 'fedora/27-cloud-base' could not be found.
Attempting to find and install...
fedorabuilder: Box Provider: virtualbox
fedorabuilder: Box Version: >= 0
==> fedorabuilder: Loading metadata for box 'fedora/27-cloud-base'
fedorabuilder: URL: https://vagrantcloud.com/fedora/27-cloud-base
==> fedorabuilder: Adding box 'fedora/27-cloud-base' (v20171105) for
provider: virtualbox
fedorabuilder: Downloading:
https://vagrantcloud.com/fedora/boxes/27-cloud-base/versions/20171105/providers/virtualbox.box
fedorabuilder: Download redirected to host: download.fedoraproject.org
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.

The requested URL returned error: 404 Not Found

On Mon, Apr 15, 2019 at 6:26 PM Ansis Atteka  wrote:

> Otherwise, Open vSwitch will fail to start with the following
> error "libcap-ng is not configured at compile time" when it
> attempts to downgrade to Open vSwitch user.
>
> Also, if packages were built in a way where processes are
> supposed to be running only as root, then there is no point
> in creating "openvswitch" user in the first place.
>
> Signed-off-by: Ansis Atteka 
> ---
>  poc/playbook-fedora-builder.yml | 6 +++---
>  rhel/openvswitch-fedora.spec.in | 8 
>  2 files changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/poc/playbook-fedora-builder.yml
> b/poc/playbook-fedora-builder.yml
> index 70f0b6ff2..b955714fc 100644
> --- a/poc/playbook-fedora-builder.yml
> +++ b/poc/playbook-fedora-builder.yml
> @@ -99,17 +99,17 @@
>- openvswitch-dkms.spec
>
>- name: Build Open vSwitch user space rpms
> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-fedora.spec
>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
>- name: Build Open vSwitch kmod rpm
> -command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
> +command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-fedora.spec
>

Is the correct spec file openvswitch-kmod-fedora.spec ?
Hence, do we need a change here ?

>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
>- name: Build Open vSwitch dkms rpm
> -command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
> +command: rpmbuild -bb --without check --without libcapng
> rhel/openvswitch-dkms.spec
>

Do you need this line changed ?

>  args:
>  chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
> openvswitch-fedora.spec.in
> index c1cd3f4c6..ce728b4f0 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
>  %endif
>
>  %pre
> +%if %{with libcapng}
>  getent group openvswitch >/dev/null || groupadd -r openvswitch
>  getent passwd openvswitch >/dev/null || \
>  useradd -r -g openvswitch -d / -s /sbin/nologin \
> @@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
>  getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
>  usermod -a -G hugetlbfs openvswitch
>  %endif
> +%endif
>  exit 0
>
>  %post
> +%if %{with libcapng}
>  if [ $1 -eq 1 ]; then
>  sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
>  sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:'
> %{_sysconfdir}/logrotate.d/openvswitch
> @@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
>  chown -R openvswitch:openvswitch /etc/openvswitch
>  chown -R openvswitch:openvswitch /var/log/openvswitch
>  fi
> +%endif
>
>  %if 0%{?systemd_post:1}
>  %systemd_post %{name}.service
> @@ -445,7 +449,11 @@ fi
>  %endif
>
>  %files
> +%if %{with libcapng}
>  %defattr(-,openvswitch,openvswitch)
> +%else
> +%defattr(-,root,root)
> +%endif
>  %dir %{_sysconfdir}/openvswitch
>  %{_sysconfdir}/openvswitch/default.conf
>  %config %ghost %{_sysconfdir}/openvswitch/conf.db
> --
> 2.14.1
>
> ___
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

2019-04-15 Thread Ansis Atteka

Otherwise, Open vSwitch will fail to start with the following
error "libcap-ng is not configured at compile time" when it
attempts to downgrade to Open vSwitch user.

Also, if packages were built in a way where processes are
supposed to be running only as root, then there is no point
in creating "openvswitch" user in the first place.

Signed-off-by: Ansis Atteka 
---
 poc/playbook-fedora-builder.yml | 6 +++---
 rhel/openvswitch-fedora.spec.in | 8 
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/poc/playbook-fedora-builder.yml b/poc/playbook-fedora-builder.yml
index 70f0b6ff2..b955714fc 100644
--- a/poc/playbook-fedora-builder.yml
+++ b/poc/playbook-fedora-builder.yml
@@ -99,17 +99,17 @@
   - openvswitch-dkms.spec
 
   - name: Build Open vSwitch user space rpms
-command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
+command: rpmbuild -bb --without check --without libcapng 
rhel/openvswitch-fedora.spec
 args:
 chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
 
   - name: Build Open vSwitch kmod rpm
-command: rpmbuild -bb --without check rhel/openvswitch-fedora.spec
+command: rpmbuild -bb --without check --without libcapng 
rhel/openvswitch-fedora.spec
 args:
 chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
 
   - name: Build Open vSwitch dkms rpm
-command: rpmbuild -bb --without check rhel/openvswitch-dkms.spec
+command: rpmbuild -bb --without check --without libcapng 
rhel/openvswitch-dkms.spec
 args:
 chdir: "{{SOURCE}}/openvswitch-{{version.stdout}}"
 
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index c1cd3f4c6..ce728b4f0 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -350,6 +350,7 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %pre
+%if %{with libcapng}
 getent group openvswitch >/dev/null || groupadd -r openvswitch
 getent passwd openvswitch >/dev/null || \
 useradd -r -g openvswitch -d / -s /sbin/nologin \
@@ -359,9 +360,11 @@ getent passwd openvswitch >/dev/null || \
 getent group hugetlbfs >/dev/null || groupadd -r hugetlbfs
 usermod -a -G hugetlbfs openvswitch
 %endif
+%endif
 exit 0
 
 %post
+%if %{with libcapng}
 if [ $1 -eq 1 ]; then
 sed -i 's:^#OVS_USER_ID=:OVS_USER_ID=:' /etc/sysconfig/openvswitch
 sed -i 's:\(.*su\).*:\1 openvswitch openvswitch:' 
%{_sysconfdir}/logrotate.d/openvswitch
@@ -376,6 +379,7 @@ if [ $1 -eq 1 ]; then
 chown -R openvswitch:openvswitch /etc/openvswitch
 chown -R openvswitch:openvswitch /var/log/openvswitch
 fi
+%endif
 
 %if 0%{?systemd_post:1}
 %systemd_post %{name}.service
@@ -445,7 +449,11 @@ fi
 %endif
 
 %files
+%if %{with libcapng}
 %defattr(-,openvswitch,openvswitch)
+%else
+%defattr(-,root,root)
+%endif
 %dir %{_sysconfdir}/openvswitch
 %{_sysconfdir}/openvswitch/default.conf
 %config %ghost %{_sysconfdir}/openvswitch/conf.db
-- 
2.14.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

Re: [ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

[ovs-dev] [PATCH] rhel: if rpms were built without libcapng then let processrs to run as root

7 matches

Site Navigation

Mail list logo

Footer information