diff options
| author | Jaime Caamaño Ruiz <jcaamano@suse.com> | 2019-05-08 13:53:48 +0200 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2019-06-09 17:25:46 -0700 |
| commit | 94e1e8be3187a4824ac27ed843396dde5cc02d13 (patch) | |
| tree | 35d337ef242b891f11874cbee7b5079706773fa4 /rhel | |
| parent | 27e25e18c1f4cdd789d5670ab9e01dcf02a86b6f (diff) | |
| download | openvswitch-94e1e8be3187a4824ac27ed843396dde5cc02d13.tar.gz | |
rhel: run ovn with the same user as ovs
Both ovn and ovs share the same log and run directories which are owned
by the user running ovs so it makes sense that ovn runs under that user
too to diminish security concerns and possible problems with log rotation.
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'rhel')
5 files changed, 16 insertions, 7 deletions
diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service index 5f69c57bb..b1e239f57 100644 --- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service +++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service @@ -39,8 +39,10 @@ Restart=on-failure Environment=OVN_DB=unix:%t/openvswitch/ovnsb_db.sock Environment=VTEP_DB=unix:%t/openvswitch/db.sock EnvironmentFile=-/etc/sysconfig/ovn-controller-vtep +EnvironmentFile=/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \ --db-sb-sock=${OVN_DB} --db-sock=${VTEP_DB} \ + --ovn-user=${OVS_USER_ID} \ start_controller_vtep ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller_vtep diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service index cf65988fe..335cd5a52 100644 --- a/rhel/usr_lib_systemd_system_ovn-controller.service +++ b/rhel/usr_lib_systemd_system_ovn-controller.service @@ -24,7 +24,9 @@ Type=forking PIDFile=/var/run/openvswitch/ovn-controller.pid Restart=on-failure EnvironmentFile=-/etc/sysconfig/ovn-controller +EnvironmentFile=/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovn-ctl --no-monitor \ + --ovn-user=${OVS_USER_ID} \ start_controller $OVN_CONTROLLER_OPTS ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_controller diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service index 3c44600a0..ff510fbde 100644 --- a/rhel/usr_lib_systemd_system_ovn-northd.service +++ b/rhel/usr_lib_systemd_system_ovn-northd.service @@ -24,7 +24,11 @@ Type=oneshot RemainAfterExit=yes Environment=OVS_RUNDIR=%t/openvswitch OVS_DBDIR=/var/lib/openvswitch EnvironmentFile=-/etc/sysconfig/ovn-northd -ExecStart=/usr/share/openvswitch/scripts/ovn-ctl start_northd $OVN_NORTHD_OPTS +EnvironmentFile=/run/openvswitch.useropts +ExecStartPre=/usr/bin/chown -R ${OVS_USER_ID} ${OVS_DBDIR} +ExecStart=/usr/share/openvswitch/scripts/ovn-ctl \ + --ovs-user=${OVS_USER_ID} --ovn-user=${OVS_USER_ID} \ + start_northd $OVN_NORTHD_OPTS ExecStop=/usr/share/openvswitch/scripts/ovn-ctl stop_northd [Install] diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in index 87abe3a89..ff43dae96 100644 --- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in +++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in @@ -22,11 +22,11 @@ ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages @end_dpdk@ ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovsdb-server --no-monitor --system-id=random \ - ${OVSUSER} \ + ${OVS_USER_OPT} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \ --no-monitor --system-id=random \ - ${OVSUSER} \ + ${OVS_USER_OPT} \ restart $OPTIONS TimeoutSec=300 diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service index d4b605a75..9bb37fd06 100644 --- a/rhel/usr_lib_systemd_system_ovsdb-server.service +++ b/rhel/usr_lib_systemd_system_ovsdb-server.service @@ -12,15 +12,16 @@ Restart=on-failure EnvironmentFile=/etc/openvswitch/default.conf EnvironmentFile=-/etc/sysconfig/openvswitch ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch -ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi' -EnvironmentFile=-/run/openvswitch.useropts +ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; /usr/bin/echo "OVS_USER_ID=${OVS_USER_ID}" > /run/openvswitch.useropts' +ExecStartPre=/bin/sh -c 'if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVS_USER_OPT=--ovs-user=${OVS_USER_ID}" >> /run/openvswitch.useropts; fi' +EnvironmentFile=/run/openvswitch.useropts ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \ --no-ovs-vswitchd --no-monitor --system-id=random \ - ${OVSUSER} \ + ${OVS_USER_OPT} \ start $OPTIONS ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \ - ${OVSUSER} \ + ${OVS_USER_OPT} \ --no-monitor restart $OPTIONS RuntimeDirectory=openvswitch RuntimeDirectoryMode=0755 |