ovs-ctl: allow passing user:group to daemons

The Open vSwitch daemons allow passing --user user[:group] to allow spawning under different user privileges. ovs-ctl now accepts --ovs-user in the same form to pass this argument on, as well as create databases and data directories with the appropriate privileges. Signed-off-by: Aaron Conole <aconole@redhat.com> Reviewed-by: Markos Chandras <mchandras@suse.de> Signed-off-by: Andy Zhou <azhou@ovn.org>
openvswitch · Feb 24, 2017 · 9ab5390 · 9ab5390
1 parent 02a9757
commit 9ab5390
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/utilities/ovs-ctl.8 b/utilities/ovs-ctl.8
@@ -159,6 +159,13 @@ Deletes all ports that have the other_config:transient value set to true. This
 is important on certain environments where some ports are going to be recreated
 after reboot, but other ports need to be persisted in the database.
 .
+.IP "\fB\-\-ovs\-user=user[:group]\fR"
+Ordinarily Open vSwitch daemons are started as the user invoking the ovs-ctl
+command.  Some system administrators would prefer to have the various daemons
+spawn as different users in their environments.  This option allows passing the
+\fB\-\-user\fR option to the \fBovsdb\-server\fR and \fBovs\-vswitchd\fR
+daemons, allowing them to change their privilege levels.
+.
 .PP
 The following options are less important:
 .

diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in
@@ -170,6 +170,8 @@ do_start_ovsdb () {
         set "$@" --private-key=db:Open_vSwitch,SSL,private_key
         set "$@" --certificate=db:Open_vSwitch,SSL,certificate
         set "$@" --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
+        [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
+
         start_daemon "$OVSDB_SERVER_PRIORITY" "$OVSDB_SERVER_WRAPPER" "$@" \
             || return 1
 
@@ -239,6 +241,8 @@ do_start_forwarding () {
         if test X"$SELF_CONFINEMENT" = Xno; then
             set "$@" --no-self-confinement
         fi
+        [ "$OVS_USER" != "" ] && set "$@" --user "$OVS_USER"
+
         start_daemon "$OVS_VSWITCHD_PRIORITY" "$OVS_VSWITCHD_WRAPPER" "$@" ||
             return 1
     fi
@@ -503,6 +507,7 @@ set_defaults () {
     MLOCKALL=yes
     SELF_CONFINEMENT=yes
     MONITOR=yes
+    OVS_USER=
     OVSDB_SERVER=yes
     OVS_VSWITCHD=yes
     OVSDB_SERVER_PRIORITY=-10
@@ -570,6 +575,7 @@ Other important options for "start", "restart" and "force-reload-kmod":
   --external-id="key=value"
                      add given key-value pair to Open_vSwitch external-ids
   --delete-bridges   delete all bridges just before starting ovs-vswitchd
+  --ovs-user="user[:group]"  pass the --user flag to ovs daemons
 
 Less important options for "start", "restart" and "force-reload-kmod":
   --daemon-cwd=DIR               set working dir for OVS daemons (default: $DAEMON_CWD)

diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in
@@ -150,8 +150,13 @@ version_geq() {
 
 install_dir () {
     DIR="$1"
+    INSTALL_USER="root"
+    INSTALL_GROUP="root"
+    [ "$OVS_USER" != "" ] && INSTALL_USER="${OVS_USER%:*}"
+    [ "${OVS_USER##*:}" != "" ] && INSTALL_GROUP="${OVS_USER##*:}"
+
     if test ! -d "$DIR"; then
-        install -d -m 755 -o root -g root "$DIR"
+        install -d -m 755 -o "$INSTALL_USER" -g "$INSTALL_GROUP" "$DIR"
         restorecon "$DIR" >/dev/null 2>&1
     fi
 }
@@ -372,7 +377,11 @@ move_ip_routes () {
 }
 
 ovsdb_tool () {
-    ovsdb-tool -vconsole:off "$@"
+    if [ "$OVS_USER" != "" ]; then
+        runuser --user "${OVS_USER%:*}" -- ovsdb-tool -vconsole:off "$@"
+    else
+        ovsdb-tool -vconsole:off "$@"
+    fi
 }
 
 create_db () {