openvswitch/0001-Run-ovn-as-openvswitch-openvswitch.patch

From aa1869378cf512fd7aeee16c0a030264c2623270 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>
Date: Fri, 8 May 2020 11:23:04 +0200
Subject: [PATCH] Run ovn as openvswitch:openvswitch

Change default run configuration to unprivilieged user openvswitch and
group openvswitch. Expect any further customization from user in
sysconfig/ovn.
---
 rhel/etc_logrotate.d_ovn                                | 2 +-
 rhel/usr_lib_systemd_system_ovn-controller-vtep.service | 1 +
 rhel/usr_lib_systemd_system_ovn-controller.service      | 1 +
 rhel/usr_lib_systemd_system_ovn-northd.service          | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/rhel/etc_logrotate.d_ovn b/rhel/etc_logrotate.d_ovn
index a351ec303..4b26333fc 100644
--- a/rhel/etc_logrotate.d_ovn
+++ b/rhel/etc_logrotate.d_ovn
@@ -6,7 +6,7 @@
 # without warranty of any kind.
 
 /var/log/ovn/*.log {
-    su root root
+    su openvswitch openvswitch
     daily
     compress
     sharedscripts
diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
index 09ad0612c..dd6ff6675 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service
@@ -35,6 +35,7 @@ After=openvswitch.service
 [Service]
 Type=simple
 Restart=on-failure
+Environment=OVN_USER_ID=openvswitch:openvswitch
 Environment=OVS_RUNDIR=%t/openvswitch
 Environment=OVN_RUNDIR=%t/ovn
 Environment=OVN_DB=unix:%t/ovn/ovnsb_db.sock
diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service
index 15d0ac853..c602760f1 100644
--- a/rhel/usr_lib_systemd_system_ovn-controller.service
+++ b/rhel/usr_lib_systemd_system_ovn-controller.service
@@ -23,6 +23,7 @@ After=openvswitch.service
 Type=forking
 PIDFile=/var/run/ovn/ovn-controller.pid
 Restart=on-failure
+Environment=OVN_USER_ID=openvswitch:openvswitch
 Environment=OVN_RUNDIR=%t/ovn OVS_RUNDIR=%t/openvswitch
 EnvironmentFile=-/etc/sysconfig/ovn
 EnvironmentFile=-/etc/sysconfig/ovn-controller
diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service
index d281f861c..d5c7dfa5f 100644
--- a/rhel/usr_lib_systemd_system_ovn-northd.service
+++ b/rhel/usr_lib_systemd_system_ovn-northd.service
@@ -20,6 +20,7 @@ After=syslog.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
+Environment=OVN_USER_ID=openvswitch:openvswitch
 Environment=OVN_RUNDIR=%t/ovn OVN_DBDIR=/var/lib/ovn
 EnvironmentFile=-/etc/sysconfig/ovn
 EnvironmentFile=-/etc/sysconfig/ovn-northd
-- 
2.16.4
Accepting request 802898 from home:jaicaa:branches:network - Update openvswitch to 2.13.0. * For a list of changes, check https://github.com/openvswitch/ovs/blob/v2.13.0/NEWS * This version drops python2 binding support. Only python3 bindings provided going forward. * Tool ovs-vlan-bug-workaround is no longer provided. - OVN was split to its own repo but is still built together with OVS and as such from this same source package. OVN initial version is 20.03. * For a list of changes, check https://github.com/ovn-org/ovn/blob/v20.03.0/NEWS * Packages openvswitch-ovn* are renamed to ovn. OVN now has its own sysconfig and log paths. - Add OVS patch to be proposed upstream: * 0001-rhel-Fix-reload-of-OVS_USER_ID-on-startup.patch - Patch instead of post-processing configuration files to set running credentials (bsc#1157338): * 0001-Run-openvswitch-as-openvswitch-openvswitch.patch * 0001-Run-ovn-as-openvswitch-openvswitch.patch - Will no longer change group ownership of /dev/hugepages to 'hugetlbfs' (bsc#1140835). System admin should mount hugepages on a path and permissions of his choosing for OVS. Add patch: * 0001-dont-change-permissions-of-dev-hugepages.patch - Will no longer install udev rule to change group ownership of vfio devices to 'hugetlbfs'. Group name does not make much sense in this case and ownership of vfio devices should be coordinated system wide or per device. - Will no longer run under group 'hugetlbfs' on new installs with DPDK enabled. OVS will now run under group 'openvswitch' whether compiled with DPDK support or not. - OVS persistent state is now saved on /var/lib/openvswitch instead of /etc/openvswitch for new installs. OBS-URL: https://build.opensuse.org/request/show/802898 OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=196 2020-05-20 09:45:43 +02:00			`From aa1869378cf512fd7aeee16c0a030264c2623270 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Jaime=20Caama=C3=B1o=20Ruiz?= <jcaamano@suse.com>`
			`Date: Fri, 8 May 2020 11:23:04 +0200`
			`Subject: [PATCH] Run ovn as openvswitch:openvswitch`

			`Change default run configuration to unprivilieged user openvswitch and`
			`group openvswitch. Expect any further customization from user in`
			`sysconfig/ovn.`
			`---`
			`rhel/etc_logrotate.d_ovn \| 2 +-`
			`rhel/usr_lib_systemd_system_ovn-controller-vtep.service \| 1 +`
			`rhel/usr_lib_systemd_system_ovn-controller.service \| 1 +`
			`rhel/usr_lib_systemd_system_ovn-northd.service \| 1 +`
			`4 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/rhel/etc_logrotate.d_ovn b/rhel/etc_logrotate.d_ovn`
			`index a351ec303..4b26333fc 100644`
			`--- a/rhel/etc_logrotate.d_ovn`
			`+++ b/rhel/etc_logrotate.d_ovn`
			`@@ -6,7 +6,7 @@`
			`# without warranty of any kind.`

			`/var/log/ovn/*.log {`
			`- su root root`
			`+ su openvswitch openvswitch`
			`daily`
			`compress`
			`sharedscripts`
			`diff --git a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service`
			`index 09ad0612c..dd6ff6675 100644`
			`--- a/rhel/usr_lib_systemd_system_ovn-controller-vtep.service`
			`+++ b/rhel/usr_lib_systemd_system_ovn-controller-vtep.service`
			`@@ -35,6 +35,7 @@ After=openvswitch.service`
			`[Service]`
			`Type=simple`
			`Restart=on-failure`
			`+Environment=OVN_USER_ID=openvswitch:openvswitch`
			`Environment=OVS_RUNDIR=%t/openvswitch`
			`Environment=OVN_RUNDIR=%t/ovn`
			`Environment=OVN_DB=unix:%t/ovn/ovnsb_db.sock`
			`diff --git a/rhel/usr_lib_systemd_system_ovn-controller.service b/rhel/usr_lib_systemd_system_ovn-controller.service`
			`index 15d0ac853..c602760f1 100644`
			`--- a/rhel/usr_lib_systemd_system_ovn-controller.service`
			`+++ b/rhel/usr_lib_systemd_system_ovn-controller.service`
			`@@ -23,6 +23,7 @@ After=openvswitch.service`
			`Type=forking`
			`PIDFile=/var/run/ovn/ovn-controller.pid`
			`Restart=on-failure`
			`+Environment=OVN_USER_ID=openvswitch:openvswitch`
			`Environment=OVN_RUNDIR=%t/ovn OVS_RUNDIR=%t/openvswitch`
			`EnvironmentFile=-/etc/sysconfig/ovn`
			`EnvironmentFile=-/etc/sysconfig/ovn-controller`
			`diff --git a/rhel/usr_lib_systemd_system_ovn-northd.service b/rhel/usr_lib_systemd_system_ovn-northd.service`
			`index d281f861c..d5c7dfa5f 100644`
			`--- a/rhel/usr_lib_systemd_system_ovn-northd.service`
			`+++ b/rhel/usr_lib_systemd_system_ovn-northd.service`
			`@@ -20,6 +20,7 @@ After=syslog.target`
			`[Service]`
			`Type=oneshot`
			`RemainAfterExit=yes`
			`+Environment=OVN_USER_ID=openvswitch:openvswitch`
			`Environment=OVN_RUNDIR=%t/ovn OVN_DBDIR=/var/lib/ovn`
			`EnvironmentFile=-/etc/sysconfig/ovn`
			`EnvironmentFile=-/etc/sysconfig/ovn-northd`
			`--`
			`2.16.4`