rhel: Run ovn services with the 'openvswitch' user

This patch could have created a new user 'ovn' for ovn services instead of using 'openvswitch' user. But this would require some amount of work and proper testing since the new user 'ovn' should be part of 'openvswitch' group (to access /var/run/openvswitch/db.sock.). If ovs is compiled with dpdk, then it may get tricky (as ovs-vswitchd is run as user - openvswitch:hugetlbfs). We can support a new user for 'ovn' services in the future. Recently the commit [1] in ovs repo added support to run ovn services with the 'openvswitch' user, but this commit was not applied to ovn repo as we had already created a new OVN repo. During the OVS/OVN formal split, we missed out on applying the patch [1]. This patch takes some code from [1]. [1] - 94e1e8b ("rhel: run ovn with the same user as ovs"). Acked-by: Mark Michelson <[email protected]> Signed-off-by: Numan Siddique <[email protected]>
hzhou8 · Aug 29, 2019 · cfb62bb · cfb62bb
1 parent 70f42bd
commit cfb62bb
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 2 deletions.
diff --git a/rhel/automake.mk b/rhel/automake.mk
@@ -15,7 +15,8 @@ EXTRA_DIST += \
 	rhel/usr_lib_systemd_system_ovn-controller-vtep.service \
 	rhel/usr_lib_systemd_system_ovn-northd.service \
 	rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
-	rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml
+	rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \
+	rhel/usr_share_ovn_scripts_systemd_sysconfig.template
 
 update_rhel_spec = \
   $(AM_V_GEN)($(ro_shell) && sed -e 's,[@]VERSION[@],$(VERSION),g') \

diff --git a/rhel/ovn-fedora.spec.in b/rhel/ovn-fedora.spec.in
@@ -186,6 +186,10 @@ make %{?_smp_mflags}
 rm -rf $RPM_BUILD_ROOT
 make install DESTDIR=$RPM_BUILD_ROOT
 
+install -p -D -m 0644 \
+        rhel/usr_share_ovn_scripts_systemd_sysconfig.template \
+        $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ovn
+
 for service in ovn-controller ovn-controller-vtep ovn-northd; do
         install -p -D -m 0644 \
                         rhel/usr_lib_systemd_system_${service}.service \
@@ -319,6 +323,14 @@ fi
     fi
 %endif
 
+%post
+%if %{with libcapng}
+if [ $1 -eq 1 ]; then
+    sed -i 's:^#OVN_USER_ID=:OVN_USER_ID=:' %{_sysconfdir}/sysconfig/ovn
+    sed -i 's:\(.*su\).*:\1 ovn ovn:' %{_sysconfdir}/logrotate.d/ovn
+fi
+%endif
+
 %post central
 %if 0%{?systemd_post:1}
     %systemd_post ovn-northd.service
@@ -413,6 +425,7 @@ if [ $1 -eq 1 ]; then
 fi
 
 %files
+%config(noreplace) %{_sysconfdir}/sysconfig/ovn
 %{_bindir}/ovn-nbctl
 %{_bindir}/ovn-sbctl
 %{_bindir}/ovn-trace

diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
@@ -38,10 +38,12 @@ Restart=on-failure
 Environment=OVS_RUNDIR=%t/openvswitch
 Environment=OVN_RUNDIR=%t/ovn
 Environment=OVN_DB=unix:%t/ovn/ovnsb_db.sock
+EnvironmentFile=-/etc/sysconfig/ovn
 Environment=VTEP_DB=unix:%t/openvswitch/db.sock
 EnvironmentFile=-/etc/sysconfig/ovn-controller-vtep
 ExecStart=/usr/bin/ovn-controller-vtep -vconsole:emer -vsyslog:err -vfile:info \
           --log-file=/var/log/ovn/ovn-controller-vtep.log \
+          --ovn-user=${OVN_USER_ID} \
           --no-chdir --pidfile=${OVN_RUNDIR}/ovn-controller-vtep.pid \
           --ovnsb-db=${OVN_DB} --vtep-db=${VTEP_DB}
 

diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service
@@ -24,8 +24,10 @@ Type=forking
 PIDFile=/var/run/ovn/ovn-controller.pid
 Restart=on-failure
 Environment=OVN_RUNDIR=%t/ovn OVS_RUNDIR=%t/openvswitch
+EnvironmentFile=-/etc/sysconfig/ovn
 EnvironmentFile=-/etc/sysconfig/ovn-controller
 ExecStart=/usr/share/ovn/scripts/ovn-ctl --no-monitor \
+           --ovn-user=${OVN_USER_ID} \
           start_controller $OVN_CONTROLLER_OPTS
 ExecStop=/usr/share/ovn/scripts/ovn-ctl stop_controller
 

diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service
@@ -21,8 +21,11 @@ After=syslog.target
 Type=oneshot
 RemainAfterExit=yes
 Environment=OVN_RUNDIR=%t/ovn OVN_DBDIR=/var/lib/ovn
+EnvironmentFile=-/etc/sysconfig/ovn
 EnvironmentFile=-/etc/sysconfig/ovn-northd
-ExecStart=/usr/share/ovn/scripts/ovn-ctl start_northd $OVN_NORTHD_OPTS
+ExecStartPre=-/usr/bin/chown -R ${OVN_USER_ID} ${OVN_DBDIR}
+ExecStart=/usr/share/ovn/scripts/ovn-ctl \
+          --ovn-user=${OVN_USER_ID} start_northd $OVN_NORTHD_OPTS
 ExecStop=/usr/share/ovn/scripts/ovn-ctl stop_northd
 
 [Install]

diff --git a/rhel/usr_share_ovn_scripts_systemd_sysconfig.template b/rhel/usr_share_ovn_scripts_systemd_sysconfig.template
@@ -0,0 +1,13 @@
+### Configuration options for OVN
+#
+# Set "nice" priority at which to run ovn-northd:
+# --ovn-northd-priority=-10
+#
+# Set "nice" priority at which to run ovn-controller:
+# --ovn-controller-priority=-10
+#
+#
+OPTIONS=""
+
+# Uncomment and set the OVN User/Group value
+#OVN_USER_ID="openvswitch:openvswitch"
diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl
@@ -183,6 +183,18 @@ $cluster_remote_port
         upgrade_db "$file" "$schema"
     fi
 
+    # Set the owner of the ovn_dbdir (with -R option) to OVN_USER if set.
+    # This is required because the ovndbs are created with root permission
+    # if not present when create_cluster/upgrade_db is called.
+    INSTALL_USER="root"
+    INSTALL_GROUP="root"
+    [ "$OVN_USER" != "" ] && INSTALL_USER="${OVN_USER%:*}"
+    [ "${OVN_USER##*:}" != "" ] && INSTALL_GROUP="${OVN_USER##*:}"
+
+    chown -R $INSTALL_USER:$INSTALL_GROUP $ovn_dbdir
+    chown -R $INSTALL_USER:$INSTALL_GROUP $OVN_RUNDIR
+    chown -R $INSTALL_USER:$INSTALL_GROUP $ovn_logdir
+
     set ovsdb-server
     set "$@" $log --log-file=$logfile
     set "$@" --remote=punix:$sock --pidfile=$db_pid_file