@@ -28,7 +28,8 @@ Post-v2.4.0
- Add support for connection tracking through the new "ct" action
and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields. Only
available on Linux kernels with the connection tracking module loaded.
-
+ - Changed Debain and Redhat packaging to start OVS daemons as the 'ovs'
+ user and group.
v2.4.0 - 20 Aug 2015
---------------------
@@ -8,6 +8,7 @@ EXTRA_DIST += \
debian/dkms.conf.in \
debian/dirs \
debian/openvswitch-common.dirs \
+ debian/openvswitch-common.postinst \
debian/openvswitch-common.docs \
debian/openvswitch-common.install \
debian/openvswitch-common.manpages \
@@ -60,6 +60,7 @@ Architecture: linux-any
Depends: openssl,
python,
python (>= 2.7) | python-argparse,
+ adduser,
${misc:Depends},
${shlibs:Depends}
Suggests: ethtool
new file mode 100755
@@ -0,0 +1,52 @@
+#!/bin/sh
+# postinst script for openvswitch-switch
+#
+# see: dh_installdeb(1)
+
+set -e
+
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ configure)
+ LOGDIR=/var/log/openvswitch
+ HOMEDIR=/var/run/openvswitch
+ # Create the ovs user and group.
+ if ! getent passwd ovs > /dev/null; then
+ echo 'Adding system-user for ovs' 1>&2
+ adduser --system --group --no-create-home --disabled-login \
+ --quiet --home $HOMEDIR $OVS_USER
+ adduser $OVS_USER adm || true
+ fi
+
+ # Fix ownership and permissions.
+ chown "$OVS_USER":"$OVS_GROUP" $LOGDIR
+ chown "$OVS_USER":"$OVS_GROUP" $HOMEDIR
+ chmod 0775 $HOMEDIR
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -31,6 +34,8 @@ case "$1" in
if test ! -e /var/lib/openvswitch/pki; then
ovs-pki init
fi
+
+ chown "$OVS_USER":"$OVS_GROUP" /var/lib/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -25,6 +25,9 @@
# the Open vSwitch kernel-based switch.
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
(test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0
. /usr/share/openvswitch/scripts/ovs-lib
@@ -64,6 +67,7 @@ start () {
if test X"$FORCE_COREFILES" != X; then
set "$@" --force-corefiles="$FORCE_COREFILES"
fi
+ set "$@" --user=$OVS_USER:$OVS_GROUP
set "$@" $OVS_CTL_OPTS
"$@" || exit $?
if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then
@@ -1,7 +1,7 @@
/var/log/openvswitch/*.log {
daily
compress
- create 640 root adm
+ create 640 ovs adm
delaycompress
missingok
rotate 30
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -33,6 +36,10 @@ case "$1" in
fi
done
fi
+
+ # fix owner and permissions for /etc/openvswitch.
+ chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch
+ chmod 0775 /etc/openvswitch
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -37,12 +37,15 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here
NAME=ovs-testcontroller # Introduce the short server's name here
DESC=ovs-testcontroller # Introduce a short description here
LOGDIR=/var/log/openvswitch # Log directory to use
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
PIDFILE=/var/run/openvswitch/$NAME.pid
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
+. /usr/share/openvswitch/scripts/ovs-lib
# Default options, these can be overriden by the information
# at /etc/default/openvswitch-testcontroller
@@ -108,9 +111,7 @@ start_server() {
exit 0
fi
- if [ ! -d /var/run/openvswitch ]; then
- install -d -m 755 -o root -g root /var/run/openvswitch
- fi
+ directory_check /var/run/openvswitch
SSL_OPTS=
case $LISTEN in
@@ -139,6 +140,7 @@ start_server() {
if [ -z "$DAEMONUSER" ] ; then
start-stop-daemon --start --pidfile $PIDFILE \
--exec $DAEMON -- --detach --pidfile=$PIDFILE \
+ --user $OVS_USER:$OVS_GROUP \
$LISTEN $DAEMON_OPTS $SSL_OPTS
errcode=$?
else
@@ -5,6 +5,9 @@
set -e
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
@@ -42,6 +45,8 @@ case "$1" in
chmod go+r cert.pem req.pem
umask $oldumask
fi
+
+ chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch-testcontroller
;;
abort-upgrade|abort-remove|abort-deconfigure)
@@ -10,6 +10,10 @@
# Description: Initializes the Open vSwitch VTEP emulator
### END INIT INFO
+OVS_USER=ovs
+OVS_GROUP=$OVS_USER
+
+. /usr/share/openvswitch/scripts/ovs-lib
# Include defaults if available
default=/etc/default/openvswitch-vtep
@@ -40,17 +44,22 @@ start () {
cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient
fi
+ chmod -R 0775 /var/run/openvswitch
+ directory_check /etc/openvswitch
+ directory_check /var/run/openvswitch
+
ovsdb-server --pidfile --detach --log-file --remote \
punix:/var/run/openvswitch/db.sock \
--remote=db:hardware_vtep,Global,managers \
--private-key=/etc/openvswitch/ovsclient-privkey.pem \
--certificate=/etc/openvswitch/ovsclient-cert.pem \
--bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \
+ --user $OVS_USER:$OVS_GROUP \
/etc/openvswitch/conf.db /etc/openvswitch/vtep.db
modprobe openvswitch
- ovs-vswitchd --pidfile --detach --log-file \
+ ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \
unix:/var/run/openvswitch/db.sock
}
Changes to Debian packaging scripts to create the ovs user and group. Fix the permissions of ovs created files and directories so that they are accessible by users belong to the ovs group. Start daemons as the ovs user. Signed-off-by: Andy Zhou <azhou@nicira.com> ---- This patch does not include changes to the ipsec package. Ansis has other plans for updating it. --- NEWS | 3 +- debian/automake.mk | 1 + debian/control | 1 + debian/openvswitch-common.postinst | 52 ++++++++++++++++++++++++++++++ debian/openvswitch-pki.postinst | 5 +++ debian/openvswitch-switch.init | 4 +++ debian/openvswitch-switch.logrotate | 2 +- debian/openvswitch-switch.postinst | 7 ++++ debian/openvswitch-testcontroller.init | 8 +++-- debian/openvswitch-testcontroller.postinst | 5 +++ debian/openvswitch-vtep.init | 11 ++++++- 11 files changed, 93 insertions(+), 6 deletions(-) create mode 100755 debian/openvswitch-common.postinst