From 95221c70c1e25fbd8916816b5f8fa5dd4cff55ca6194a67ebea4f34e6497b419 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 14 Dec 2023 12:03:53 +0000 Subject: [PATCH] - convert to sysuser generated users - Add BuildRequires on python-setuptools. Previously this was pulled by python-Sphinx in the build environment. CVE-2023-3152.patch CVE-2023-1668.patch Some of the features are, -For more details, check - Added ovsb tool install patch, * install-ovsdb-tools.patch - add openssl(cli) dependency on pki (bsc#1185839) https://github.com/openvswitch/ovs/blob/v2.14.2/NEWS (bsc#1181742). - Fix wrong default directories for OVS python utilities (bsc#1176273). https://github.com/openvswitch/ovs/blob/v2.14.0/NEWS https://github.com/ovn-org/ovn/blob/v20.06.2/NEWS - add missing provides/obsoletes for python3-openvswitch-test - Update openvswitch to 2.13.0. https://github.com/openvswitch/ovs/blob/v2.13.0/NEWS https://github.com/openvswitch/ovs/blob/master/NEWS - Update DPDK dependency to support DPDK 18.11.2. * 0001-rhel-secure-openvswitch-useropts.patch - Use temporary directory for python build. including: - Support for the kernel versions 4.18.x * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch * 0001-utilities-Add-script-to-support-DPDK-option-migratio.patch - Replace references to /var/adm/fillup-templates with new removed (bsc#1050896) builds on aarch64 now - fix rcX link OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=251 --- openvswitch-user.conf | 3 ++ openvswitch.changes | 99 +++++++++++++++++++++++-------------------- openvswitch.spec | 19 +++++---- 3 files changed, 65 insertions(+), 56 deletions(-) create mode 100644 openvswitch-user.conf diff --git a/openvswitch-user.conf b/openvswitch-user.conf new file mode 100644 index 0000000..8f1bc28 --- /dev/null +++ b/openvswitch-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +g openvswitch - - +u openvswitch - "Open vSwitch Daemons" / /sbin/nologin diff --git a/openvswitch.changes b/openvswitch.changes index e083339..f1dd83c 100644 --- a/openvswitch.changes +++ b/openvswitch.changes @@ -1,22 +1,27 @@ +------------------------------------------------------------------- +Thu Dec 14 11:55:19 UTC 2023 - Dirk Müller + +- convert to sysuser generated users + ------------------------------------------------------------------- Mon Dec 4 15:52:33 UTC 2023 - Ana Guerrero -- Add BuildRequires on python-setuptools. Previously this was pulled - by python-Sphinx in the build environment. +- Add BuildRequires on python-setuptools. Previously this was pulled + by python-Sphinx in the build environment. ------------------------------------------------------------------- Thu Sep 7 07:55:29 UTC 2023 - Duraisankar P - Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited - Added patch, - CVE-2023-3152.patch + CVE-2023-3152.patch ------------------------------------------------------------------- Wed May 17 09:46:44 UTC 2023 - Duraisankar P - Fix CVE-2023-1668 [bsc#1210054], openvswitch: remote traffic denial of service via crafted packets with IP proto 0 - Added patch, - CVE-2023-1668.patch + CVE-2023-1668.patch ------------------------------------------------------------------- Tue May 2 07:48:43 UTC 2023 - Dominique Leuenberger @@ -28,7 +33,7 @@ Tue May 2 07:48:43 UTC 2023 - Dominique Leuenberger Wed Apr 5 21:14:59 UTC 2023 - Duraisankar P - Update OVS version to v3.1.0 and OVN version to v23.03.0 - Some of the features are, + Some of the features are, - ovs-vswitchd now detects changes in CPU affinity and adjusts the number of handler and revalidator threads if necessary. - AF_XDP: @@ -71,7 +76,7 @@ Wed Apr 5 21:14:59 UTC 2023 - Duraisankar P * Add new experimental PMD load based sleeping feature. PMD threads can request to sleep up to a user configured 'pmd-maxsleep' value under low load conditions. - -For more details, check + -For more details, check https://github.com/openvswitch/ovs/blob/v3.1.0/NEWS -Includes secrity fix for CVE-2022-4338 (bsc#1206580) and CVE-2022-4337 (bsc#1206581) - Removed patches, @@ -88,8 +93,8 @@ Wed Apr 5 21:14:59 UTC 2023 - Duraisankar P * 0001-Run-ovn-as-openvswitch-openvswitch.patch * 0001-Use-strongswan-for-openvswitch-ipsec-service.patch * 0001-Run-openvswitch-as-openvswitch-openvswitch.patch - - Added ovsb tool install patch, - * install-ovsdb-tools.patch + - Added ovsb tool install patch, + * install-ovsdb-tools.patch ------------------------------------------------------------------- Thu Sep 29 11:58:47 UTC 2022 - Dirk Müller @@ -279,7 +284,7 @@ Sat Feb 26 00:56:03 UTC 2022 - Ferdinand Thiessen ------------------------------------------------------------------- Mon May 10 10:28:32 UTC 2021 - Dirk Müller -- add openssl(cli) dependency on pki (bsc#1185839) +- add openssl(cli) dependency on pki (bsc#1185839) ------------------------------------------------------------------- Thu Apr 29 16:05:49 UTC 2021 - Jaime Caamaño Ruiz @@ -291,9 +296,9 @@ Thu Apr 29 16:05:49 UTC 2021 - Jaime Caamaño Ruiz Fri Feb 12 10:36:03 UTC 2021 - Jaime Caamaño Ruiz - Update openvswitch to 2.14.2. For a list of changes, check - https://github.com/openvswitch/ovs/blob/v2.14.2/NEWS + https://github.com/openvswitch/ovs/blob/v2.14.2/NEWS Includes security fix for CVE-2020-27827 (bsc#1181345) and CVE-2020-35498 - (bsc#1181742). + (bsc#1181742). - Removed patches no longer applying to code base: * 0001-rhel-Fix-reload-of-OVS_USER_ID-on-startup.patch * 0001-ipsec-Fix-Strongswan-configuration-syntax.patch @@ -307,7 +312,7 @@ Tue Nov 3 10:50:49 UTC 2020 - Jaime Caamaño Ruiz ------------------------------------------------------------------- Tue Sep 29 10:41:30 UTC 2020 - Jaime Caamaño Ruiz -- Fix wrong default directories for OVS python utilities (bsc#1176273). +- Fix wrong default directories for OVS python utilities (bsc#1176273). - Add upstream patches to fix openvswitch-ipsec service (bsc#1176273). * 0001-ipsec-Fix-Strongswan-configuration-syntax.patch @@ -315,9 +320,9 @@ Tue Sep 29 10:41:30 UTC 2020 - Jaime Caamaño Ruiz Tue Sep 1 13:50:47 UTC 2020 - Jaime Caamaño Ruiz - Update openvswitch to 2.14.0. For a list of changes, check - https://github.com/openvswitch/ovs/blob/v2.14.0/NEWS + https://github.com/openvswitch/ovs/blob/v2.14.0/NEWS - Update OVN to 20.06.2. For a list of changes, check - https://github.com/ovn-org/ovn/blob/v20.06.2/NEWS + https://github.com/ovn-org/ovn/blob/v20.06.2/NEWS ------------------------------------------------------------------- Mon Jun 15 13:21:22 UTC 2020 - Jaime Caamaño Ruiz @@ -333,14 +338,14 @@ Mon Jun 15 13:21:22 UTC 2020 - Jaime Caamaño Ruiz ------------------------------------------------------------------- Wed Jun 3 14:53:21 UTC 2020 - Jaime Caamaño Ruiz -- add missing provides/obsoletes for python3-openvswitch-test +- add missing provides/obsoletes for python3-openvswitch-test ------------------------------------------------------------------- Mon May 4 11:38:26 UTC 2020 - Jaime Caamaño Ruiz -- Update openvswitch to 2.13.0. +- Update openvswitch to 2.13.0. * For a list of changes, check - https://github.com/openvswitch/ovs/blob/v2.13.0/NEWS + https://github.com/openvswitch/ovs/blob/v2.13.0/NEWS * This version drops python2 binding support. Only python3 bindings provided going forward. * Tool ovs-vlan-bug-workaround is no longer provided. @@ -378,7 +383,7 @@ Thu Feb 13 18:06:02 UTC 2020 - Dirk Mueller Mon Oct 28 14:56:34 UTC 2019 - Jaime Caamaño Ruiz - Update openvswitch to 2.12.0. For a list of changes, check - https://github.com/openvswitch/ovs/blob/master/NEWS + https://github.com/openvswitch/ovs/blob/master/NEWS - Removed patches that are already included upstream: * 0001-rhel-secure-openvswitch-useropts.patch * 0002-rhel-let-ctl-handle-runtime-directory.patch @@ -399,25 +404,25 @@ Tue Jul 16 09:10:42 UTC 2019 - ------------------------------------------------------------------- Thu Jun 20 12:00:42 UTC 2019 - -- Update DPDK dependency to support DPDK 18.11.2. +- Update DPDK dependency to support DPDK 18.11.2. ------------------------------------------------------------------- Mon Jun 10 17:12:00 UTC 2019 - - Add upstream patches to fix bsc#1135884: - * 0001-rhel-secure-openvswitch-useropts.patch + * 0001-rhel-secure-openvswitch-useropts.patch * 0002-rhel-let-ctl-handle-runtime-directory.patch ------------------------------------------------------------------- Mon May 6 17:08:26 UTC 2019 - -- Use temporary directory for python build. +- Use temporary directory for python build. ------------------------------------------------------------------- Mon Apr 29 14:12:36 UTC 2019 - - Fix problem preventing new installs to run as non root (bsc#1132029), - including: + including: * Align with upstream so that no running configuration is changed on upgrades, specifically to avoid changes on the user Open vSwitch runs under. @@ -489,7 +494,7 @@ Thu Feb 28 11:16:58 UTC 2019 - jcaamano@suse.com - Version bump to 2.11.0. Some of the changes are: * Linux datapath: - Support for the kernel versions 4.16.x and 4.17.x. - - Support for the kernel versions 4.18.x + - Support for the kernel versions 4.18.x * OpenFlow: - OFPMP_TABLE_FEATURES_REQUEST can now modify table features. * ovs-ofctl: @@ -594,7 +599,7 @@ Thu Jan 24 11:34:15 UTC 2019 - Jaime Caamaño (jcaamano@suse.com) - Remove upstreamed patch: * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch - Remove DISABLE_RESTART_ON_UPDATE and DISABLE_STOP_ON_REMOVAL options (bsc#1117483). - + ------------------------------------------------------------------- Sun Jan 20 07:58:20 UTC 2019 - Thomas Bechtold @@ -605,7 +610,7 @@ Sun Jan 20 07:58:20 UTC 2019 - Thomas Bechtold Mon Nov 26 11:07:30 UTC 2018 - jcaamano@suse.com - Backport upstream fix for python json parser memory leak (bsc#1116437) - * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch + * 0001-python-c-ext-Fix-memory-leak-in-Parser_finish.patch ------------------------------------------------------------------- Thu Nov 8 11:17:38 UTC 2018 - Markos Chandras @@ -901,7 +906,7 @@ Thu Mar 1 10:39:54 UTC 2018 - mchandras@suse.de * 0003-netdev-dpdk-vHost-IOMMU-support.patch - Get rid of the old openvswitch DPDK migration steps everybody should have migrated from <2.6 to latest releases by now. - * 0001-utilities-Add-script-to-support-DPDK-option-migratio.patch + * 0001-utilities-Add-script-to-support-DPDK-option-migratio.patch ------------------------------------------------------------------- Tue Jan 9 16:25:48 UTC 2018 - mchandras@suse.de @@ -936,7 +941,7 @@ Wed Dec 6 14:00:55 UTC 2017 - mchandras@suse.de ------------------------------------------------------------------- Thu Nov 23 13:38:56 UTC 2017 - rbrown@suse.com -- Replace references to /var/adm/fillup-templates with new +- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ------------------------------------------------------------------- @@ -1036,7 +1041,7 @@ Thu Jul 27 13:05:42 UTC 2017 - mchandras@suse.de - Do not restart the ovs-vswitchd, ovsdb-server and openvswitch services on package removals. This facilitates potential future package moves but also preserves connectivity when the package is - removed (bsc#1050896) + removed (bsc#1050896) ------------------------------------------------------------------- Wed Jul 19 07:32:59 UTC 2017 - mchandras@suse.de @@ -1163,7 +1168,7 @@ Tue Feb 28 09:24:48 UTC 2017 - mchandras@suse.de subpackage. * Split OVN package to ovn-common, ovn-central, ovn-docker, ovn-host and ovn-controller similar to the Debian and RedHat packages. - + ------------------------------------------------------------------- Fri Nov 25 16:36:40 UTC 2016 - mchandras@suse.de @@ -1259,7 +1264,7 @@ Tue Sep 6 10:11:49 UTC 2016 - mchandras@suse.de Sun Aug 14 11:05:59 CEST 2016 - ro@suse.de - enable openvswitch-dpdk on aarch64 since dpdk - builds on aarch64 now + builds on aarch64 now ------------------------------------------------------------------- Sun Aug 7 21:11:51 CEST 2016 - ro@suse.de @@ -1671,12 +1676,12 @@ Sun Dec 28 21:27:49 UTC 2014 - andrea@opensuse.org ------------------------------------------------------------------- Tue Oct 21 11:24:25 UTC 2014 - dmueller@suse.com -- fix rcX link +- fix rcX link ------------------------------------------------------------------- Tue Sep 23 08:40:15 UTC 2014 - dmueller@suse.com -- disable shipped kmp module build for newer distros +- disable shipped kmp module build for newer distros ------------------------------------------------------------------- Mon Sep 22 07:11:35 UTC 2014 - dmueller@suse.com @@ -1811,7 +1816,7 @@ Thu Mar 27 12:56:32 UTC 2014 - dmueller@suse.com ------------------------------------------------------------------- Thu Mar 27 12:55:44 UTC 2014 - dmueller@suse.com -- allow to use kmod as well +- allow to use kmod as well ------------------------------------------------------------------- Mon Feb 3 17:13:36 UTC 2014 - dmueller@suse.com @@ -1821,22 +1826,22 @@ Mon Feb 3 17:13:36 UTC 2014 - dmueller@suse.com ------------------------------------------------------------------- Mon Jan 27 10:42:05 UTC 2014 - dmueller@suse.com -- fix logrotate configuration +- fix logrotate configuration ------------------------------------------------------------------- Tue Jan 21 08:48:03 UTC 2014 - dmueller@suse.com -- add openvswitch.service for systemd distros +- add openvswitch.service for systemd distros ------------------------------------------------------------------- Tue Jan 14 15:03:56 UTC 2014 - dmueller@suse.com -- add kernel-312.diff (build against Kernel 3.12.x) +- add kernel-312.diff (build against Kernel 3.12.x) ------------------------------------------------------------------- Fri Jan 3 17:54:10 UTC 2014 - dmueller@suse.com -- do not build with valgrind-devel on aarch64 (doesn't exist) +- do not build with valgrind-devel on aarch64 (doesn't exist) ------------------------------------------------------------------- Thu Dec 5 13:14:11 UTC 2013 - dmueller@suse.com @@ -1907,7 +1912,7 @@ Fri Sep 13 15:25:40 UTC 2013 - dmueller@suse.com ------------------------------------------------------------------- Fri Sep 13 10:09:18 UTC 2013 - dmueller@suse.com -- sign modules for secure boot (bnc#839838) +- sign modules for secure boot (bnc#839838) ------------------------------------------------------------------- Tue Jul 2 17:08:11 UTC 2013 - tpaszkowski@novell.com @@ -1925,7 +1930,7 @@ Sun Jun 16 05:30:24 UTC 2013 - vuntz@suse.com ------------------------------------------------------------------- Thu Jun 6 14:28:07 UTC 2013 - tpaszkowski@novell.com -- mark openvswitch module shipped with package as supported +- mark openvswitch module shipped with package as supported ------------------------------------------------------------------- Fri May 17 11:58:32 UTC 2013 - dmueller@suse.com @@ -1970,7 +1975,7 @@ Tue Mar 12 13:36:57 UTC 2013 - tpaszkowski@suse.com ------------------------------------------------------------------- Fri Mar 8 14:16:57 UTC 2013 - tpaszkowski@suse.com -- Provides and Obsolete for former openvswitch-common package +- Provides and Obsolete for former openvswitch-common package ------------------------------------------------------------------- Thu Mar 7 21:49:09 UTC 2013 - tpaszkowski@suse.com @@ -2118,7 +2123,7 @@ Mon Feb 20 23:39:50 UTC 2012 - on@morlock.nu Fri Sep 2 09:11:21 UTC 2011 - andrea@opensuse.org - new uopstream version 1.2.1 - * The release only contains bug fixes for the 1.2.0 release + * The release only contains bug fixes for the 1.2.0 release ------------------------------------------------------------------- Mon Aug 8 17:47:58 UTC 2011 - andrea@opensuse.org @@ -2128,18 +2133,18 @@ Mon Aug 8 17:47:58 UTC 2011 - andrea@opensuse.org * Packaging for Red Hat (RHEL) 5.6 and 6.0 * Datapath support for Linux kernels up to 3.0 * And many others. See the full change log here: - http://openvswitch.org/releases/ChangeLog-1.2.0 -- rebased openvswitch-1.1.0-suse.patch as + http://openvswitch.org/releases/ChangeLog-1.2.0 +- rebased openvswitch-1.1.0-suse.patch as openvswitch-1.2.0-suse.patch to apply to the files ------------------------------------------------------------------- Thu Jun 23 06:49:16 UTC 2011 - andrea@opensuse.org - new upstream version 1.1.1 - * bug fix release + * bug fix release ------------------------------------------------------------------- Wed May 18 10:09:45 UTC 2011 - andrea@opensuse.org - + - re-enabled kmp package since openvswitch_mod.ko and brcompat_mod.ko are not available on suse kernel rpms @@ -2150,14 +2155,14 @@ Tue May 17 12:04:05 UTC 2011 - andrea@opensuse.org - spec file clean up - added as dependency all python modules to enable additional functionalities -- rebase patches +- rebase patches - build pyside support only if pyside is available ------------------------------------------------------------------- Fri Dec 31 15:26:59 UTC 2010 - pmullaney@novell.com - updates for build issues -- fixes for libvirt integration +- fixes for libvirt integration ------------------------------------------------------------------- Sat Dec 11 19:57:28 UTC 2010 - pmullaney@novell.com diff --git a/openvswitch.spec b/openvswitch.spec index d5e13af..e79f29a 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -63,6 +63,7 @@ URL: http://openvswitch.org/ Source0: http://openvswitch.org/releases/openvswitch-%{version}.tar.gz Source1: https://github.com/ovn-org/ovn/archive/v%{ovn_version}.tar.gz#/ovn-%{ovn_version}.tar.gz Source2: preamble +Source10: openvswitch-user.conf Source89: Module.supported.updates Source99: openvswitch-rpmlintrc # OVS patches @@ -116,10 +117,12 @@ Obsoletes: %{name}-switch < 2.7.0 %if 0%{?suse_version} BuildRequires: libopenssl-devel BuildRequires: python-rpm-macros +BuildRequires: sysuser-tools Requires(post): %fillup_prereq Requires(pre): shadow Suggests: logrotate %{?systemd_ordering} +%sysusers_requires %else BuildRequires: environment-modules BuildRequires: openssl-devel @@ -507,6 +510,8 @@ bash -x boot.sh PYTHON3=%{_bindir}/python3 \ LDFLAGS=-L../%{ovs_dir}/lib/.libs %make_build +popd +%sysusers_generate_pre %{SOURCE10} openvswitch openvswitch.conf %check %if %{with check} @@ -727,7 +732,9 @@ rm %{buildroot}%{_docdir}/ovn/conf.py # Done with OVN additional files. popd -%pre +install -D -m 0644 %{SOURCE10} %{buildroot}%{_sysusersdir}/openvswitch.conf + +%pre -f openvswitch.pre %if 0%{?suse_version} %service_add_pre ovsdb-server.service ovs-vswitchd.service openvswitch.service ovs-delete-transient-ports.service %endif @@ -736,17 +743,10 @@ if [ "$1" -ge 1 ]; then # ownership of openvswitch.service from openvswitch-switch to # openvswitch. if [ x$(systemctl is-enabled openvswitch.service 2>/dev/null ||:) = "xenabled" ]; then - touch %{rpmstate}openvswitch + touch %{rpmstate}openvswitch || : fi fi -getent group openvswitch >/dev/null || groupadd -r openvswitch -getent passwd openvswitch >/dev/null || \ - useradd -r -g openvswitch -d / -s /sbin/nologin \ - -c "Open vSwitch Daemons" openvswitch - -exit 0 - %pre ipsec %if 0%{?suse_version} %service_add_pre openvswitch-ipsec.service @@ -1171,6 +1171,7 @@ fi %{_fillupdir}/sysconfig.openvswitch %{_datadir}/bash-completion/completions/ovs-appctl-bashcomp.bash %{_datadir}/bash-completion/completions/ovs-vsctl-bashcomp.bash +%{_sysusersdir}/openvswitch.conf %else %config(noreplace) %{_sysconfdir}/sysconfig/openvswitch %{_sysconfdir}/bash_completion.d/ovs-appctl-bashcomp.bash