@@ -123,6 +123,10 @@ another string is specified \fBovs\-ctl\fR uses it literally.
The following options should be specified if the defaults are not
suitable:
.
+.IP "\fB\-\-run\-as=\fIuser[:group]\fR"
+Run OVS daemons as the user specified. In case 'user' is not root, OVS
+daemons will run with the least privileges necessary.
+.
.IP "\fB\-\-system\-type=\fItype\fR"
.IQ "\fB\-\-system\-version=\fIversion\fR"
Sets the value to store in the \fBsystem-type\fR and
@@ -1,5 +1,5 @@
#! /bin/sh
-# Copyright (C) 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
+# Copyright (C) 2009, 2010, 2011, 2012, 2013, 2014, 2015 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,8 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-OVS_USER=root # Default user.
-OVS_GROUP=root # Default group.
case $0 in
*/*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;;
@@ -101,6 +99,7 @@ set_system_ids () {
else
log_failure_msg "missing uuidgen, could not generate system ID"
fi
+ chown "$OVS_USER":"$OVS_GROUP" $id_file
;;
'')
@@ -535,6 +534,8 @@ set_defaults () {
SYSTEM_TYPE=unknown
SYSTEM_VERSION=unknown
fi
+ OVS_USER=root # Default user.
+ OVS_GROUP=$OVS_USER # Default group.
}
usage () {
@@ -573,6 +574,7 @@ Less important options for "start", "restart" and "force-reload-kmod":
--daemon-cwd=DIR set working dir for OVS daemons (default: $DAEMON_CWD)
--no-force-corefiles do not force on core dumps for OVS daemons
--no-mlockall do not lock all of ovs-vswitchd into memory
+ --run-as=USER run ovs daemons as the root user of ovs user (default: $OVS_USER:$OVS_GROUP)
--ovsdb-server-priority=NICE set ovsdb-server's niceness (default: $OVSDB_SERVER_PRIORITY)
--ovs-vswitchd-priority=NICE set ovs-vswitchd's niceness (default: $OVS_VSWITCHD_PRIORITY)
@@ -653,6 +655,26 @@ do
;;
esac
;;
+ --run-as=*)
+ value=`expr X"$arg" : 'X[^=]*=\(.*\)'`
+ case $value in
+ [a-z]*:*)
+ OVS_USER=`expr X"$value" : 'X\(.*\):.*'`
+ OVS_GROUP=`expr X"$value" : 'X[^:]*:\(.*\)'`
+ if test X"$OVS_GROUP" = X; then
+ OVS_GROUP=$OVS_USER
+ fi
+ ;;
+ [a-z]*)
+ OVS_USER=`expr X"$value" : 'X\(.*\)'`
+ OVS_GROUP=$OVS_USER
+ ;;
+ *)
+ echo >&2 "$0: --run-as argument not in the form \"user[:group]\""
+ exit 1
+ ;;
+ esac
+ ;;
--[a-z]*=*)
option=`expr X"$arg" : 'X--\([^=]*\)'`
value=`expr X"$arg" : 'X[^=]*=\(.*\)'`
@@ -149,10 +149,15 @@ start_daemon () {
set "$@" --log-file="$logdir/$daemon.log"
# pidfile and monitoring
- test -d "$rundir" || install -d -m 755 -o "$OVS_USER" -g "$OVS_GROUP" "$rundir"
+ test -d "$rundir" || install -d -m 775 -o "$OVS_USER" -g "$OVS_GROUP" "$rundir"
set "$@" --pidfile="$rundir/$daemon.pid"
set "$@" --detach --monitor
+ # non root user
+ if test "$OVS_USER" != "root"; then
+ set "$@" --user="$OVS_USER":"$OVS_GROUP"
+ fi
+
# wrapper
case $wrapper in
valgrind)
@@ -376,4 +381,6 @@ upgrade_db () {
create_db "$DB_FILE" "$DB_SCHEMA"
fi
fi
+
+ chown -R "$OVS_USER":"$OVS_GROUP" `dirname $DB_FILE`
}
Add option to ovs-ctl script to specify whether to start the daemons as root user or ovs user. The default is 'run-as=root', which preserves the script's current behavior. Signed-off-by: Andy Zhou <azhou@nicira.com> --- utilities/ovs-ctl.8 | 4 ++++ utilities/ovs-ctl.in | 28 +++++++++++++++++++++++++--- utilities/ovs-lib.in | 9 ++++++++- 3 files changed, 37 insertions(+), 4 deletions(-)