pool/openvswitch
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 709214 from home:jaicaa:branches:network

Browse Source 
- Add upstream patches to fix bsc#1135884:
  * 0001-rhel-secure-openvswitch-useropts.patch  
  * 0002-rhel-let-ctl-handle-runtime-directory.patch

OBS-URL: https://build.opensuse.org/request/show/709214
OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=184
This commit is contained in:
Tomáš Chvátal 2019-06-12 06:04:55 +00:00 committed by Git OBS Bridge
parent 35776c053e
commit 21b9f164e3
4 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0001-rhel-secure-openvswitch-useropts.patch Normal file
View File

@ -0,0 +1,39 @@
From aec69da8a2385b3d1368b484aa247876fbc2018d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
Date: Wed, 8 May 2019 13:53:47 +0200
Subject: [PATCH 1/2] rhel: secure openvswitch useropts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The openvswitch useropts file is being stored in a directory where the
openvswitch user has write permissions. The openvswitch user can then
manipulate the file to change the user under which switchd daemon runs.
This patch changes the file to /var/openvswitch.useropts preventing any
manipulation.
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
---
rhel/usr_lib_systemd_system_ovsdb-server.service | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 70da1ec95..0f9d936b3 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -11,8 +11,8 @@ Restart=on-failure
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
-ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
-EnvironmentFile=-/run/openvswitch/useropts
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
+EnvironmentFile=-/run/openvswitch.useropts
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
--no-ovs-vswitchd --no-monitor --system-id=random \
${OVSUSER} \
--
2.16.4

48
0002-rhel-let-ctl-handle-runtime-directory.patch Normal file
View File

@ -0,0 +1,48 @@
From eb48aba90b582df6dd7d2798a34ac31f7ed68282 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
Date: Mon, 10 Jun 2019 14:58:10 +0200
Subject: [PATCH] rhel: let *-ctl handle runtime directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recent versions of systemd restores RuntimeDirectory ownership to the
unit's User in between execution of *Exec directives (see [1]). Using
ExecStartPre to reset RuntimeDirectory ownership to OVS_USER no longer
works as expected.
The ctl scripts already handle creation of the runtime directory with
correct ownership and permissions so we can basically remove
RuntimeDirectory from systemd unit file. There is still need to handle
ownsership to cover some upgrade scenarios, but success of that will be
optional as the directory itself wont exist at first time run.
[1] https://github.com/systemd/systemd/issues/12713
Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
---
rhel/usr_lib_systemd_system_ovsdb-server.service | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 0f9d936b3..22c704561 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -10,7 +10,7 @@ Type=forking
Restart=on-failure
EnvironmentFile=/etc/openvswitch/default.conf
EnvironmentFile=-/etc/sysconfig/openvswitch
-ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
+ExecStartPre=-/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch /var/log/openvswitch
ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch.useropts; if [ "$${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch.useropts; fi'
EnvironmentFile=-/run/openvswitch.useropts
ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
@@ -21,5 +21,3 @@ ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
${OVSUSER} \
--no-monitor restart $OPTIONS
-RuntimeDirectory=openvswitch
-RuntimeDirectoryMode=0755
--
2.16.4

7
openvswitch.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jun 10 17:12:00 UTC 2019 - <jcaamano@suse.com>
- Add upstream patches to fix bsc#1135884:
* 0001-rhel-secure-openvswitch-useropts.patch
* 0002-rhel-let-ctl-handle-runtime-directory.patch
-------------------------------------------------------------------
Mon May 6 17:08:26 UTC 2019 - <jcaamano@suse.com>

7
openvswitch.spec
View File

@ -55,6 +55,10 @@ Source1: preamble
Source89: Module.supported.updates
# PATCH-FIX-OPENSUSE: Use-strongswan-for-openvswitch-ipsec-service.patch
Patch0: 0001-Use-strongswan-for-openvswitch-ipsec-service.patch
# PATCH-FIX-UPSTREAM: 0001-rhel-secure-openvswitch-useropts.patch
Patch1: 0001-rhel-secure-openvswitch-useropts.patch
# PATCH-FIX-UPSTREAM: 0002-rhel-let-ctl-handle-runtime-directory.patch
Patch2: 0002-rhel-let-ctl-handle-runtime-directory.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: graphviz
@ -336,6 +340,8 @@ performance and connectivity issues in Open vSwitch setup.
%prep
%setup -q -n openvswitch-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
set -- * .travis* .mailmap .cirrus.yml
@ -903,6 +909,7 @@ exit 0
%endif
%attr(750,root,root) %dir %{_localstatedir}/log/openvswitch
%ghost %attr(755,root,root) %{_rundir}/openvswitch
%ghost %attr(644,root,root) %{_rundir}/openvswitch.useropts
%if %{with dpdk}
%{_prefix}/lib/udev/rules.d/91-vfio.rules
%endif