Message ID | 1470895754-84811-2-git-send-email-jpettit@ovn.org |
---|---|
State | Accepted |
Headers | show |
"dev" <dev-bounces@openvswitch.org> wrote on 08/11/2016 01:09:13 AM: > From: Justin Pettit <jpettit@ovn.org> > To: dev@openvswitch.org > Date: 08/22/2016 01:36 PM > Subject: [ovs-dev] [PATCH 2/3] daemon: Minor tweaking of man page fragment. > Sent by: "dev" <dev-bounces@openvswitch.org> > > Signed-off-by: Justin Pettit <jpettit@ovn.org> > --- > lib/daemon.man | 2 +- > lib/daemon.xml | 9 +++++---- > 2 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/lib/daemon.man b/lib/daemon.man > index f4e79ac..2855c2d 100644 > --- a/lib/daemon.man > +++ b/lib/daemon.man > @@ -74,7 +74,7 @@ allowed, with current user or group are assumed > respectively. Only daemons > started by the root user accepts this argument. > .IP > On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES > -before dropping root privileges. Daemons interact with datapath, > +before dropping root privileges. Daemons that interact with a datapath, > such as ovs-vswitchd, will be granted two additional capabilities, namely > CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if > new user is "root". > diff --git a/lib/daemon.xml b/lib/daemon.xml > index d752e99..737ae55 100644 > --- a/lib/daemon.xml > +++ b/lib/daemon.xml > @@ -106,10 +106,11 @@ > <p> > On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and > <code>CAP_NET_BIND_SERVICES</code> before dropping root privileges. > - Daemons interact with datapath, such as <code>ovs-vswitchd</code>, will > - be granted two additional capabilities, namely > <code>CAP_NET_ADMIN</code> > - and <code>CAP_NET_RAW</code>. The capability change will apply even if > - the new user is root. > + Daemons that interact with a datapath, such as > + <code>ovs-vswitchd</code>, will be granted two additional > + capabilities, namely <code>CAP_NET_ADMIN</code> and > + <code>CAP_NET_RAW</code>. The capability change will apply even > + if the new user is root. > </p> > > <p> > -- LGTM Acked-by: Ryan Moats <rmoats@us.ibm.com>
Ryan Moats/Omaha/IBM wrote on 08/25/2016 09:19:49 AM: > From: Ryan Moats/Omaha/IBM > To: Justin Pettit <jpettit@ovn.org> > Cc: dev@openvswitch.org > Date: 08/25/2016 09:19 AM > Subject: Re: [ovs-dev] [PATCH 2/3] daemon: Minor tweaking of man > page fragment. > > "dev" <dev-bounces@openvswitch.org> wrote on 08/11/2016 01:09:13 AM: > > > From: Justin Pettit <jpettit@ovn.org> > > To: dev@openvswitch.org > > Date: 08/22/2016 01:36 PM > > Subject: [ovs-dev] [PATCH 2/3] daemon: Minor tweaking of man page fragment. > > Sent by: "dev" <dev-bounces@openvswitch.org> > > > > Signed-off-by: Justin Pettit <jpettit@ovn.org> > > --- > > lib/daemon.man | 2 +- > > lib/daemon.xml | 9 +++++---- > > 2 files changed, 6 insertions(+), 5 deletions(-) > > > > diff --git a/lib/daemon.man b/lib/daemon.man > > index f4e79ac..2855c2d 100644 > > --- a/lib/daemon.man > > +++ b/lib/daemon.man > > @@ -74,7 +74,7 @@ allowed, with current user or group are assumed > > respectively. Only daemons > > started by the root user accepts this argument. > > .IP > > On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES > > -before dropping root privileges. Daemons interact with datapath, > > +before dropping root privileges. Daemons that interact with a datapath, > > such as ovs-vswitchd, will be granted two additional capabilities, namely > > CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if > > new user is "root". > > diff --git a/lib/daemon.xml b/lib/daemon.xml > > index d752e99..737ae55 100644 > > --- a/lib/daemon.xml > > +++ b/lib/daemon.xml > > @@ -106,10 +106,11 @@ > > <p> > > On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and > > <code>CAP_NET_BIND_SERVICES</code> before dropping root privileges. > > - Daemons interact with datapath, such as <code>ovs- > vswitchd</code>, will > > - be granted two additional capabilities, namely > > <code>CAP_NET_ADMIN</code> > > - and <code>CAP_NET_RAW</code>. The capability change will > apply even if > > - the new user is root. > > + Daemons that interact with a datapath, such as > > + <code>ovs-vswitchd</code>, will be granted two additional > > + capabilities, namely <code>CAP_NET_ADMIN</code> and > > + <code>CAP_NET_RAW</code>. The capability change will apply even > > + if the new user is root. > > </p> > > > > <p> > > -- > LGTM > > Acked-by: Ryan Moats <rmoats@us.ibm.com> Well phooey - I thought I had the last in the series in my mailbox, but I can't find it, so please consider the above an Ack for the whole series... Ryan
On Wed, Aug 10, 2016 at 11:09:13PM -0700, Justin Pettit wrote: > Signed-off-by: Justin Pettit <jpettit@ovn.org> > --- > lib/daemon.man | 2 +- > lib/daemon.xml | 9 +++++---- > 2 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/lib/daemon.man b/lib/daemon.man > index f4e79ac..2855c2d 100644 > --- a/lib/daemon.man > +++ b/lib/daemon.man > @@ -74,7 +74,7 @@ allowed, with current user or group are assumed respectively. Only daemons > started by the root user accepts this argument. > .IP > On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES > -before dropping root privileges. Daemons interact with datapath, > +before dropping root privileges. Daemons that interact with a datapath, Can you also change ovs-vswitchd to \fBovs\-vswitchd\fR here, please: > such as ovs-vswitchd, will be granted two additional capabilities, namely > CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if > new user is "root". Acked-by: Ben Pfaff <blp@ovn.org>
> On Aug 26, 2016, at 8:49 AM, Ben Pfaff <blp@ovn.org> wrote: > > On Wed, Aug 10, 2016 at 11:09:13PM -0700, Justin Pettit wrote: >> Signed-off-by: Justin Pettit <jpettit@ovn.org> >> --- >> lib/daemon.man | 2 +- >> lib/daemon.xml | 9 +++++---- >> 2 files changed, 6 insertions(+), 5 deletions(-) >> >> diff --git a/lib/daemon.man b/lib/daemon.man >> index f4e79ac..2855c2d 100644 >> --- a/lib/daemon.man >> +++ b/lib/daemon.man >> @@ -74,7 +74,7 @@ allowed, with current user or group are assumed respectively. Only daemons >> started by the root user accepts this argument. >> .IP >> On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES >> -before dropping root privileges. Daemons interact with datapath, >> +before dropping root privileges. Daemons that interact with a datapath, > > Can you also change ovs-vswitchd to \fBovs\-vswitchd\fR here, please: > >> such as ovs-vswitchd, will be granted two additional capabilities, namely >> CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if >> new user is "root". Done. > Acked-by: Ben Pfaff <blp@ovn.org> Thanks. I'll push this and the next patch with yours and Ryan's acks in a minute. --Justin
diff --git a/lib/daemon.man b/lib/daemon.man index f4e79ac..2855c2d 100644 --- a/lib/daemon.man +++ b/lib/daemon.man @@ -74,7 +74,7 @@ allowed, with current user or group are assumed respectively. Only daemons started by the root user accepts this argument. .IP On Linux, daemons will be granted CAP_IPC_LOCK and CAP_NET_BIND_SERVICES -before dropping root privileges. Daemons interact with datapath, +before dropping root privileges. Daemons that interact with a datapath, such as ovs-vswitchd, will be granted two additional capabilities, namely CAP_NET_ADMIN and CAP_NET_RAW. The capability change will apply even if new user is "root". diff --git a/lib/daemon.xml b/lib/daemon.xml index d752e99..737ae55 100644 --- a/lib/daemon.xml +++ b/lib/daemon.xml @@ -106,10 +106,11 @@ <p> On Linux, daemons will be granted <code>CAP_IPC_LOCK</code> and <code>CAP_NET_BIND_SERVICES</code> before dropping root privileges. - Daemons interact with datapath, such as <code>ovs-vswitchd</code>, will - be granted two additional capabilities, namely <code>CAP_NET_ADMIN</code> - and <code>CAP_NET_RAW</code>. The capability change will apply even if - the new user is root. + Daemons that interact with a datapath, such as + <code>ovs-vswitchd</code>, will be granted two additional + capabilities, namely <code>CAP_NET_ADMIN</code> and + <code>CAP_NET_RAW</code>. The capability change will apply even + if the new user is root. </p> <p>
Signed-off-by: Justin Pettit <jpettit@ovn.org> --- lib/daemon.man | 2 +- lib/daemon.xml | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-)