Can we assume ovsdb-server will be launched by the process that has
the right owner and group?
On Wed, Aug 26, 2015 at 2:19 PM, Ben Pfaff <b...@nicira.com> wrote:
> I guess the question is from what users and groups should ovsdb-server
> accept connections. If it's only supposed to accept connections from
> root or a specified group, then it needs to have the correct privileges
> to at least create a root-owned socket or a socket with that group.
>
> On Fri, Aug 21, 2015 at 11:05:57PM -0700, Alex Wang wrote:
>> If we want to make ovsdb-server non-root, this change may not be need,~
>>
>> On Fri, Aug 21, 2015 at 11:10 PM, Alex Wang <al...@nicira.com> wrote:
>>
>> > This commit adds a new key-value pair, 'punix_file_group=<user group>',
>> > to the 'other_config' column in the 'Manager' table. This new config
>> > allows user to change the punix socket file's group ownership, so that
>> > non-root process can also connect to ovsdb-server.
>> >
>> > Signed-off-by: Alex Wang <al...@nicira.com>
>> > ---
>> > ovsdb/jsonrpc-server.c | 6 ++++++
>> > ovsdb/jsonrpc-server.h | 1 +
>> > ovsdb/ovsdb-server.c | 2 ++
>> > vswitchd/vswitch.xml | 16 ++++++++++++++++
>> > 4 files changed, 25 insertions(+)
>> >
>> > diff --git a/ovsdb/jsonrpc-server.c b/ovsdb/jsonrpc-server.c
>> > index fffcb73..387a7a0 100644
>> > --- a/ovsdb/jsonrpc-server.c
>> > +++ b/ovsdb/jsonrpc-server.c
>> > @@ -32,6 +32,7 @@
>> > #include "row.h"
>> > #include "server.h"
>> > #include "simap.h"
>> > +#include "socket-util.h"
>> > #include "stream.h"
>> > #include "table.h"
>> > #include "timeval.h"
>> > @@ -227,6 +228,11 @@ ovsdb_jsonrpc_server_set_remotes(struct
>> > ovsdb_jsonrpc_server *svr,
>> > }
>> >
>> > ovsdb_jsonrpc_session_set_all_options(remote, options);
>> > +
>> > + if (!strncmp(node->name, "punix:", 6)) {
>> > + unix_socket_set_file_group(node->name + 6,
>> > + options->punix_file_group);
>> > + }
>> > }
>> > }
>> >
>> > diff --git a/ovsdb/jsonrpc-server.h b/ovsdb/jsonrpc-server.h
>> > index fce8b7b..36a15f3 100644
>> > --- a/ovsdb/jsonrpc-server.h
>> > +++ b/ovsdb/jsonrpc-server.h
>> > @@ -35,6 +35,7 @@ struct ovsdb_jsonrpc_options {
>> > int max_backoff; /* Maximum reconnection backoff, in msec.
>> > */
>> > int probe_interval; /* Max idle time before probing, in msec.
>> > */
>> > int dscp; /* Dscp value for manager connections */
>> > + const char *punix_file_group; /* For setting the punix file's group.
>> > */
>> > };
>> > struct ovsdb_jsonrpc_options *
>> > ovsdb_jsonrpc_default_options(const char *target);
>> > diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
>> > index cd13b0d..8dca006 100644
>> > --- a/ovsdb/ovsdb-server.c
>> > +++ b/ovsdb/ovsdb-server.c
>> > @@ -770,6 +770,8 @@ add_manager_options(struct shash *remotes, const
>> > struct ovsdb_row *row)
>> > options->dscp = dscp;
>> > }
>> > }
>> > + options->punix_file_group = read_map_string_column(row,
>> > "other_config",
>> > +
>> > "punix_file_group");
>> > }
>> >
>> > static void
>> > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
>> > index 6f6e0ed..ae7abfb 100644
>> > --- a/vswitchd/vswitch.xml
>> > +++ b/vswitchd/vswitch.xml
>> > @@ -4286,6 +4286,22 @@
>> > default value of 48 is chosen. Valid DSCP values must be in the
>> > range
>> > 0 to 63.
>> > </column>
>> > +
>> > + <column name="other_config" key="punix_file_group"
>> > + type='{"type": "string"}'>
>> > + <p>
>> > + When connection method in <ref column="target"/> is
>> > + <code>punix</code>, this config specifies the user group to
>> > which
>> > + the group ownership for 'punix' (unix domain socket) file
>> > created
>> > + by ovsdb will be applied. Also, the file's access permission
>> > will be
>> > + changed to '0770'.
>> > + </p>
>> > + <p>
>> > + By default, the 'punix' file is associated with the 'root'
>> > + group and have access permission '0700'. If this config is
>> > + not specified or specified as 'root', the default is restored.
>> > + </p>
>> > + </column>
>> > </group>
>> >
>> > <group title="Common Columns">
>> > --
>> > 1.7.9.5
>> >
>> >
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
