From patchwork Wed Nov 25 19:15:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Zhou X-Patchwork-Id: 548723 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 4B82A1402DD for ; Thu, 26 Nov 2015 06:16:00 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id E14D710C35; Wed, 25 Nov 2015 11:15:49 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id E2CC910C33 for ; Wed, 25 Nov 2015 11:15:48 -0800 (PST) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id 69A481E0103 for ; Wed, 25 Nov 2015 12:15:48 -0700 (MST) X-ASG-Debug-ID: 1448478947-09eadd53d13f7090001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar5.cudamail.com with ESMTP id Fv2P4lrVQrDgDSpL (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 25 Nov 2015 12:15:47 -0700 (MST) X-Barracuda-Envelope-From: azhou.ovn@gmail.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO mail-pa0-f49.google.com) (209.85.220.49) by mx1-pf1.cudamail.com with ESMTPS (RC4-SHA encrypted); 25 Nov 2015 19:15:47 -0000 Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at _netblocks.google.com designates 209.85.220.49 as permitted sender) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.49 Received: by pacdm15 with SMTP id dm15so65634547pac.3 for ; Wed, 25 Nov 2015 11:15:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iaE44j1zPrm6Y3gMVnMSeocCcZe9XJ+IYA4/4qYF1S0=; b=eR7Yiw4qbE51xZri//QW2mAhKP83tuY4YIMVfPz9clg54loRjKhze688s46XoS9AcG VDa4lWj1CsbbDZUzKsaqUy+NRyTcmyqh/xe6WgCCRxxsZ6JvwXUtTbPxHzIkyj3e7nZS gCjs5SPOx9BlLRMnHK77f7igHi2HQ+Ij4czWhahWW5Jl34Q1ReLTcOx/26qfdTmrWr13 Nf3vgF1p6C3TkVTYxkcvTn8H7kyQ6DmQzTnFC3TDl/7O2xNrOcJE+IcB6COaHuQtCuta GTijZGkwyXdemQYTIrTxgTBH1KNOOdBvFcl7+Y2EUvRp7+7+YIF6UhgV6GpfX2H/8a0k Kp0w== X-Received: by 10.66.237.7 with SMTP id uy7mr21817656pac.130.1448478946507; Wed, 25 Nov 2015 11:15:46 -0800 (PST) Received: from ubuntu.localdomain ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id y83sm22414754pfi.85.2015.11.25.11.15.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Nov 2015 11:15:45 -0800 (PST) X-CudaMail-Envelope-Sender: azhou.ovn@gmail.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Andy Zhou To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-1124065959 X-CudaMail-DTE: 112515 X-CudaMail-Originating-IP: 209.85.220.49 Date: Wed, 25 Nov 2015 11:15:26 -0800 X-ASG-Orig-Subj: [##CM-E1-1124065959##][Debian-non-root v4 RFC 2/2] Debian: start daemons as ovs(non-root) user Message-Id: <1448478926-5242-3-git-send-email-azhou@ovn.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1448478926-5242-1-git-send-email-azhou@ovn.org> References: <1448478926-5242-1-git-send-email-azhou@ovn.org> X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1448478947 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [Debian-non-root v4 RFC 2/2] Debian: start daemons as ovs(non-root) user X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" Changes to Debian packaging scripts to create the ovs user and group. Fix the permissions of ovs created files and directories so that they are accessible by users belong to the ovs group. Start daemons as the ovs user. Signed-off-by: Andy Zhou ---- This patch does not include changes to the ipsec package. Ansis has other plans for updating it. Acked-by: Ben Pfaff --- NEWS | 3 +- debian/automake.mk | 1 + debian/control | 1 + debian/openvswitch-common.postinst | 52 ++++++++++++++++++++++++++++++ debian/openvswitch-pki.postinst | 5 +++ debian/openvswitch-switch.init | 4 +++ debian/openvswitch-switch.logrotate | 2 +- debian/openvswitch-switch.postinst | 7 ++++ debian/openvswitch-testcontroller.init | 8 +++-- debian/openvswitch-testcontroller.postinst | 5 +++ debian/openvswitch-vtep.init | 11 ++++++- 11 files changed, 93 insertions(+), 6 deletions(-) create mode 100755 debian/openvswitch-common.postinst diff --git a/NEWS b/NEWS index cf99844..831e145 100644 --- a/NEWS +++ b/NEWS @@ -28,7 +28,8 @@ Post-v2.4.0 - Add support for connection tracking through the new "ct" action and "ct_state"/"ct_zone"/"ct_mark"/"ct_label" match fields. Only available on Linux kernels with the connection tracking module loaded. - + - Changed Debain and Redhat packaging to start OVS daemons as the 'ovs' + user and group. v2.4.0 - 20 Aug 2015 --------------------- diff --git a/debian/automake.mk b/debian/automake.mk index c29a560..3092569 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -8,6 +8,7 @@ EXTRA_DIST += \ debian/dkms.conf.in \ debian/dirs \ debian/openvswitch-common.dirs \ + debian/openvswitch-common.postinst \ debian/openvswitch-common.docs \ debian/openvswitch-common.install \ debian/openvswitch-common.manpages \ diff --git a/debian/control b/debian/control index 3eac644..7c07cb2 100644 --- a/debian/control +++ b/debian/control @@ -60,6 +60,7 @@ Architecture: linux-any Depends: openssl, python, python (>= 2.7) | python-argparse, + adduser, ${misc:Depends}, ${shlibs:Depends} Suggests: ethtool diff --git a/debian/openvswitch-common.postinst b/debian/openvswitch-common.postinst new file mode 100755 index 0000000..0bc946a --- /dev/null +++ b/debian/openvswitch-common.postinst @@ -0,0 +1,52 @@ +#!/bin/sh +# postinst script for openvswitch-switch +# +# see: dh_installdeb(1) + +set -e + +OVS_USER=ovs +OVS_GROUP=$OVS_USER + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + LOGDIR=/var/log/openvswitch + HOMEDIR=/var/run/openvswitch + # Create the ovs user and group. + if ! getent passwd ovs > /dev/null; then + echo 'Adding system-user for ovs' 1>&2 + adduser --system --group --no-create-home --disabled-login \ + --quiet --home $HOMEDIR $OVS_USER + adduser $OVS_USER adm || true + fi + + # Fix ownership and permissions. + chown "$OVS_USER":"$OVS_GROUP" $LOGDIR + chown "$OVS_USER":"$OVS_GROUP" $HOMEDIR + chmod 0775 $HOMEDIR + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/openvswitch-pki.postinst b/debian/openvswitch-pki.postinst index f4705e9..6983f75 100755 --- a/debian/openvswitch-pki.postinst +++ b/debian/openvswitch-pki.postinst @@ -5,6 +5,9 @@ set -e +OVS_USER=ovs +OVS_GROUP=$OVS_USER + # summary of how this script can be called: # * `configure' # * `abort-upgrade' @@ -31,6 +34,8 @@ case "$1" in if test ! -e /var/lib/openvswitch/pki; then ovs-pki init fi + + chown "$OVS_USER":"$OVS_GROUP" /var/lib/openvswitch ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/openvswitch-switch.init b/debian/openvswitch-switch.init index 8e156da..7b7ef46 100755 --- a/debian/openvswitch-switch.init +++ b/debian/openvswitch-switch.init @@ -25,6 +25,9 @@ # the Open vSwitch kernel-based switch. ### END INIT INFO +OVS_USER=ovs +OVS_GROUP=$OVS_USER + (test -x /usr/sbin/ovs-vswitchd && test -x /usr/sbin/ovsdb-server) || exit 0 . /usr/share/openvswitch/scripts/ovs-lib @@ -64,6 +67,7 @@ start () { if test X"$FORCE_COREFILES" != X; then set "$@" --force-corefiles="$FORCE_COREFILES" fi + set "$@" --user=$OVS_USER:$OVS_GROUP set "$@" $OVS_CTL_OPTS "$@" || exit $? if [ "$2" = "start" ] && [ "$READ_INTERFACES" != "no" ]; then diff --git a/debian/openvswitch-switch.logrotate b/debian/openvswitch-switch.logrotate index a7a71bd..e93c568 100644 --- a/debian/openvswitch-switch.logrotate +++ b/debian/openvswitch-switch.logrotate @@ -1,7 +1,7 @@ /var/log/openvswitch/*.log { daily compress - create 640 root adm + create 640 ovs adm delaycompress missingok rotate 30 diff --git a/debian/openvswitch-switch.postinst b/debian/openvswitch-switch.postinst index 2464572..80acc42 100755 --- a/debian/openvswitch-switch.postinst +++ b/debian/openvswitch-switch.postinst @@ -5,6 +5,9 @@ set -e +OVS_USER=ovs +OVS_GROUP=$OVS_USER + # summary of how this script can be called: # * `configure' # * `abort-upgrade' @@ -33,6 +36,10 @@ case "$1" in fi done fi + + # fix owner and permissions for /etc/openvswitch. + chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch + chmod 0775 /etc/openvswitch ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/openvswitch-testcontroller.init b/debian/openvswitch-testcontroller.init index 67b7a99..38efd3c 100755 --- a/debian/openvswitch-testcontroller.init +++ b/debian/openvswitch-testcontroller.init @@ -37,12 +37,15 @@ DAEMON=/usr/bin/ovs-testcontroller # Introduce the server's location here NAME=ovs-testcontroller # Introduce the short server's name here DESC=ovs-testcontroller # Introduce a short description here LOGDIR=/var/log/openvswitch # Log directory to use +OVS_USER=ovs +OVS_GROUP=$OVS_USER PIDFILE=/var/run/openvswitch/$NAME.pid test -x $DAEMON || exit 0 . /lib/lsb/init-functions +. /usr/share/openvswitch/scripts/ovs-lib # Default options, these can be overriden by the information # at /etc/default/openvswitch-testcontroller @@ -108,9 +111,7 @@ start_server() { exit 0 fi - if [ ! -d /var/run/openvswitch ]; then - install -d -m 755 -o root -g root /var/run/openvswitch - fi + directory_check /var/run/openvswitch SSL_OPTS= case $LISTEN in @@ -139,6 +140,7 @@ start_server() { if [ -z "$DAEMONUSER" ] ; then start-stop-daemon --start --pidfile $PIDFILE \ --exec $DAEMON -- --detach --pidfile=$PIDFILE \ + --user $OVS_USER:$OVS_GROUP \ $LISTEN $DAEMON_OPTS $SSL_OPTS errcode=$? else diff --git a/debian/openvswitch-testcontroller.postinst b/debian/openvswitch-testcontroller.postinst index 7242b4a..66112e3 100755 --- a/debian/openvswitch-testcontroller.postinst +++ b/debian/openvswitch-testcontroller.postinst @@ -5,6 +5,9 @@ set -e +OVS_USER=ovs +OVS_GROUP=$OVS_USER + # summary of how this script can be called: # * `configure' # * `abort-upgrade' @@ -42,6 +45,8 @@ case "$1" in chmod go+r cert.pem req.pem umask $oldumask fi + + chown "$OVS_USER":"$OVS_GROUP" /etc/openvswitch-testcontroller ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/debian/openvswitch-vtep.init b/debian/openvswitch-vtep.init index ebf4e26..4f5872b 100644 --- a/debian/openvswitch-vtep.init +++ b/debian/openvswitch-vtep.init @@ -10,6 +10,10 @@ # Description: Initializes the Open vSwitch VTEP emulator ### END INIT INFO +OVS_USER=ovs +OVS_GROUP=$OVS_USER + +. /usr/share/openvswitch/scripts/ovs-lib # Include defaults if available default=/etc/default/openvswitch-vtep @@ -40,17 +44,22 @@ start () { cd /etc/openvswitch && ovs-pki req ovsclient && ovs-pki self-sign ovsclient fi + chmod -R 0775 /var/run/openvswitch + directory_check /etc/openvswitch + directory_check /var/run/openvswitch + ovsdb-server --pidfile --detach --log-file --remote \ punix:/var/run/openvswitch/db.sock \ --remote=db:hardware_vtep,Global,managers \ --private-key=/etc/openvswitch/ovsclient-privkey.pem \ --certificate=/etc/openvswitch/ovsclient-cert.pem \ --bootstrap-ca-cert=/etc/openvswitch/vswitchd.cacert \ + --user $OVS_USER:$OVS_GROUP \ /etc/openvswitch/conf.db /etc/openvswitch/vtep.db modprobe openvswitch - ovs-vswitchd --pidfile --detach --log-file \ + ovs-vswitchd --pidfile --detach --log-file --user $OVS_USER:$OVS_GROUP \ unix:/var/run/openvswitch/db.sock }